November  2012  www.csoonline.com  $9  00  BUSINESS  RISK  LEADERSHIP 


Common  Language 


Cooperation  between  physical  and  IT 
security  isn’t  new-but  it  is  improved. 
Here’s  how  it  works  today.  26 


TECH:  You’re  Stuck  With  BYOD.  Here’s 
How  Your  Peers  Are  Making  It  Safe  6 

RISK:  What’s  Your  Total  Cost  of  Risk?  14 

LEAD:  Former  Zynga  CSO:  To  Thrive, 
Security  Needs  Innovation  20 


Because  no  two  businesses  are  the  same. 

Introducing  the  flexible  new  range  of  IBM  System  x  servers. 

No  two  companies  have  the  same  IT  requirements.  That’s  why  IBM®  has  a  new  range  of  System  x® 
servers,  built  to  handle  workloads  ranging  from  simple  tasks  to  complex  cloud-based  and  business 
applications.  Featuring  the  latest  Intel®  Xeon®  E5-2600  and  E5-2400  series  processors,  these 
servers  can  be  customized  so  that  you  can  select  features  you  need  today  and  add  more  as  your 
business  needs  change.  Additionally,  IBM  Business  Partners  can  help  you  find  the  server  that 
meets  your  needs  and  pair  it  with  the  right  IBM  storage,  networking  and  software  solutions  for  a 
truly  optimized  infrastructure. 

A  new  range  of  customizable  servers  to  support  your  unique  business  needs. 


'j'lli!1 


N. 


IBM  System  x3650  M4  Express 


IBM  System  x3530  M4  Express 


$3,179 

OR  $84/MONTH  FOR  36  MONTHS' 


PN:  7915-EBU 


Low  TOO  with  exceptional  performance  per  watt 


Flexible,  “pay-as-you-grow”  design  to  lower  cost  and  manage  risk 


Excellent  reliability  and  uptime  for  business-critical  applications  and  the  cloud 


$1,899 

OR  $51/MONTH  FOR  36  MONTHS' 
PN:  7915-EBU 


2-socket  value  server  optimized  for  performance  and  value 


Dense  1U  design  for  many  general  business  workloads 


IBM  DNA  throughout,  including  RAS,  flexibility  and  easy  management 


IBM  System  Storage®  DS3500  Express 


See  for  Yourself 

The  new  IBM  System  x  Selection  Tool  can  help 
you  choose  the  right  server  and  save  money. 
Visit:  ibm,com/systems/flexibility 


$5,499 

OR  S135/MONTH  FOR  36  MONTHS' 
PN:  1746A2S 


6  Gbps  SAS  system  delivers  midrange  performance  and  scalability  at  entry-level  prices 
Up  to  192  drives:  high  performance  and  nearline  SAS,  SSD  and  SED  SAS  drives 
Four  interface  options:  6  Gbps  SAS,  1  Gbps  &  10  Gbps  iSCSI/SAS  and  8  Gbps  FG/SAS 


Contact  the  IBM  Concierge 
to  help  you  connect  to  the 
right  IBM  Business  Partner. 
1-866-872-3902 

(mention  102JE09A) 


M  Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers. 

payments  provided  are  for  planning  purposes  only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments;  please 
■met  your  IBM  Global  Financing  representative  for  actual  monthly  amounts.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice, 
hardware  products  are  manufactured  from  new  parts  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit 
w  ww.ibm.com/servers/support/machine_warranties.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services.  IBM,  the  IBM  logo,  System  Storage  and  System  x 
1  ".red  trademarks  of  International  Business  Machines  Corporation,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other 
os.  For  a  current  list  of  IBM  trademarks,  see  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the  United  States  and  other 
'  -  All  prices  and  savings  estimates  are  subject  to  change  without  notice,  may  vary  according  to  configuration,  are  based  upon  IBM's  estimated  retail  selling  prices  as  of  7/2/12  and  may  not  include 

o'  .  .  '  !  drive,  operating  system  or  other  features.  Reseller  prices  and  savings  to  end  users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United 

Start:  M  may  not  offer  the  products,  features  or  services  discussed  in  this  document  in  other  countries.  Contact  your  IBM  representative  or  IBM  Business  Partner  for  the  most  current  pricing  in 

your  geographic  area.  ©2012  IBM  Corporation. 


Cover  illustration  by  Anastasia  Vasilakis 


Common 

Language 

26  Cooperation 
between  security 
disciplines  isn’t 
new-but  it  is 
improved. 

Here’s  how  it 
works  today. 

BY  BOB  VIOLINO 


10  Tulsa  CIO’s  False  Alarm 
Could  Happen  to  Anyone 

11  Did  Iran  Really  Suffer  a  Cyberattack? 

12  Don’t  Trust  Chinese  Telecom  Manufacturers, 
Congressional  Report  Advises  U.S.  Companies 

13  Malware  Casts  a  Wide  Net 


13  Sophos  Admits  Bad  Update 
Slammed  Customers 

risk 

14  What’s  Your  Total  Cost  of  Risk? 

16  Benchmarks  for  Total  Cost  of  Risk  (TCOR) 

17  Working  the  Kinks  Out  of  Your  Supply  Chain 

18  Remaking  Risk  Management 
18  Certification  Multiplication 


■  Also  Inside 

2  Editor’s  Letter 
4  Publisher’s  Letter 
32  Last:  A  Modest  Proposal 


lead 

20  Former  Zynga  CSO:  Innovate  or  Die 

23  To  Work  Better,  You  Need  a 
Change  of  Perspective 

24  Making  Metrics  Matter  to  the  C-Suite 


November  2012  wwiv.csoonitne.com  1 


I  Like  Risk 


Many  chess  players-and  I’m  sure  you  are  going  to  find  this 
hard  to  believe-are  boring.  Even  to  their  fellow  chess  players. 


Because  they  try  to  play  zero-risk  chess. 

These  poor  saps  try  to  win  by  playing  timidly, 
avoiding  error  at  all  costs,  purely  trying  to  cre¬ 
ate  weakness-free  positions.  They  don’t  gamble, 
but  they  also  don’t  try  new  ideas,  and  they 
never  play  a  game  that  anyone  else  would  find 
interesting  or  creative  or  worth  emulating.  They 
aren’t  actually  playing  to  win;  they  are  playing 
not  to  lose. 

It’s  a  soul-crushing  experience  to  sit  down  for 
a  three-  to  four-hour  game  at  my  Tuesday  night 
dub,  only  to  realize  that  my  opponent’s  sole 
objective  is  to  suck  the  life  out  of  the  position. 
This,  I  say,  is  no  way  to  spend  a  Tuesday  night. 
Zero-risk  chess  is  boring. 

In  my  professional  life,  as  in  chess,  I  have 
discovered  that  I  like  risk.  I  like  creativity  and  I 
like  winning.  I  am  willing  to  gamble  on  my  own 
judgment.  And  when  I  don’t  get  the  result  I  ex¬ 
pect,  I  rethink  my  analysis  with  this  new  data.  If 
I  come  to  the  same  conclusion  as  before,  I  often 
double  down. 

Of  course,  the  results  of  chess  games  don’t 
matter.  You  lose  spectacularly,  you  get  to  reset 
the  pieces  and  try  again  from  scratch  next  week. 
You  look  kind  of  stupid,  but  so  what. 

The  results  of  taking  this  approach  in  busi¬ 
ness  are  much  more  tangible.  Particularly  with 


security  risks,  it  doesn’t  make  sense  to  be  cava¬ 
lier.  But  that  doesn’t  mean  your  business  should 
take  no  risks.  Zero-risk  business  isn’t  just  boring, 
it  also  has  very  little  upside. 

That  is  why  security  leaders  have  to  become 
great  evaluators  of  risk.  Join  me  on  my  new  blog, 
blogs.csoonline.com/blog/risks-rewards,  and 
share  your  experiences  as  I  delve  into  the  excit¬ 
ing— not  boring! — topic  of  risk  management. 

-Derek  Slater,  Editor  in  Chief, 
dslater@cxo.com 


CSO  (ISSN  1540-904X)  is  published  monthly  except  fot  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc..  492  Old  Connecticut  Path.  P.0.  Box 
9208.  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham.  MA  01701.  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.0.  Box  1632,  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center.  222  Rosewood  Drive,  Danvers.  MA  01970,  www.copyrlght.com.  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol  }.  Address  inquiries  to  CSO.  P.O.  Box  3482.  Northbrook,  IL  60065:  B66  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmastei:  Send  change  of  address  to:  CSO.  P.O.  Box  3482.  Northbrook.  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  NOVEMBER  2012 


Editor  in  Chief 

Derek  Slater 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Managing  Editor 

Bill  Brenner 
bbrenner@cxo.com 
508  988-7587 
Twitter:  (a)billbrenner70 

Senior  Editor 

Joan  Goodchild 
igoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Copy  Editor 

Colleen  Barry 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  Mary  Brandel, 
John  E.  Dunn,  Elisabeth  Horwitt 
George  V.  Hulme,  Gregg  Keizer, 
Jeremy  Kirk,  Richard  Power. 
Jaikumar  Vilayan,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
cso@omeda.com 

IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 


HT'BPA 


WORLDWIDE" 


Tim  Llewellyn 


EXECU 


ADVERTORIAL 


POINT 


Daniel  Diermeier 

FACULTY  MEMBER 
NORTHWESTERN  UNIVERSITY 

Diermeier  holds  appointments  as  the  IBM 
Professor  of  Regulation  and  Competitive 
Practice  of  Managerial  Economics  and 
Decision  Sciences  at  the  Kellogg  School 
of  Management,  as  well  as  Professor  of 
Political  Science  at  the  Weinberg  College 
of  Arts  and  Sciences. 


Ajay  Jain 

PRESIDENT  AND  CEO 
QUANTUM  SECURE 

Ajay  is  responsible  for 
setting  the  company's  vision  and 
strategy  along  with  managing  daily 
operations.  He  holds  an  MBA  and 
an  MS  degree  in  computer  and 
information  science.  Ajay  was  the 
founder  of  MarketFirst  Software  and 
Mokume  software,  both  of  which 
were  sold  to  large,  publicly  traded 
companies. 


FOR  MORE  INFORMATION: 

Visit  www.quantumsecure.com 
Download  the  white  paper  name  at 
www.csoonline.com/whitepapers/PlAM2 


QUANTUM  SECURE 


cso 

Custom  Solutions  Group 


Physical  Access  Management: 

Risks,  Pain  Points  and  Solutions 


Do  policies,  rules  and  governance-based 
physical  access  management  eliminate  or 
mitigate  corporate  risks? 

Diermeier:  Management  of  corporate  risk 
requires  strategies  that  reduce  the  occurrence 
of  risk,  and  strategies  that  mitigate  the 
impact  should  an  event  occur.  Proper  risk 
management  strategies  require  effective 
processes.  A  company’s  risk  exposure 
increases  if  it  lacks  proper  governance 
structures  and  processes.  Exposure  now 
goes  beyond  traditional  security  risk,  and 
includes  reputational  and  regulatory  risk. 

This  magnifies  the  potential  impact  of 
security  breaches. 

In  the  context  of  physical  access  security, 
particularly  important  shortcomings  include 
lack  of  processes  and  policies  for  granting 
and  revoking  facility  access,  and  inability 
to  properly  monitor  who  is  where  and  why. 
Systematic  physical  access  security  policies 
and  rules  give  security  managers  enough 
internal  control  to  deter,  detect,  report  and 
react  against  threats  in  a  timely  manner. 
Accountability  is  the  key  to  threat  mitigation, 
and  when  physical  access  management  is 
accountable  and  auditable,  corporations  see 
a  large  part  of  risks  eliminated.  Should  an 
event  occur,  clear  and  documented  rules  and 
policies  also  help  mitigate  reputational  and 
regulatory  risk. 

What  factors  drive  the  adoption  of  physical 
identity  and  access  management  (PIAM)? 
Diermeier:  For  most  companies,  mitigation 
of  corporate  risk  by  eliminating  untoward 
facility  access  given  to  a  person,  especially 
to  restricted  areas,  is  the  main  driver  for 
adoption  of  PIAM  technologies.  However, 
increasing  reputational  and  regulatory  risk 
has  elevated  the  importance  and  visibility 
of  PIAM  processes  to  senior  management 
and  the  board.  The  need  to  manage  these 
risks  is  paramount  in  industries  like  aviation, 
healthcare,  government,  energy,  oil  and  gas. 
These  industries  must  track,  monitor  and 
prevent  untoward  physical  access.  A  potential 
breach  can  have  disastrous  consequences  that 
trigger  additional  risks.  In  addition  to  effective 
risk  mitigation,  systematic  management  of 
physical  access  grants  and  revocations  may 


even  save  on  operational  costs  and  generate 
business  efficiencies. 

What  is  PIAM  and  how  does  a  vendor- 
supplied  solution  work? 

Jain:  PIAM  is  a  set  of  processes,  policies, 
and  technologies  for  managing  the  physical 
identity  lifecycle  (on-boarding  to  off-boarding) 
and  the  rules  governing  physical  access  in 
an  automated  fashion  across  geographies 
and  multiple  physical  access  systems.  This 
means  all  identities  and  their  physical  access 
is  always  authenticated,  authorized  and 
auditable.  Quantum  Secure’s  flagship  PIAM 
product  suite,  SAFE,  integrates  and  helps 
interoperate  disparate  physical  access  systems 
into  a  common  master  identity  repository, 
and  creates  policy-based  physical  access 
assignment  rules  governing  all  identities.  This 
is  all  done  electronically,  consistently  and  with 
a  full  audit  trail. 

What  are  the  top  pain  points  in  traditional 
physical  access  management? 

Jain:  Traditional  in-house  physical  access 
management  methods  are  loosely  defined  and 
manually  enforced  without  accountability  and 
auditability.  Manual  processes  and  inflexible 
custom  solutions  negatively  affect  data  and  IP 
protection. 

How  does  PIAM  address  and  solve  those 
pain  points? 

Jain:  PIAM  creates  an  overlay  system  of 
governance  and  compliance  so  the  physical 
identity  lifecycle  of  employees,  contractors, 
temp  workers  and  visitors  are  all  managed 
electronically  via  a  set  of  rules  and  policies. 
PIAM  creates  a  centralized  system  of  auditing 
and  reporting,  eliminating  corporate  risk  as  it 
relates  to  physical  access. 

Why  do  companies  use  in-house  custom- 
developed  PIAM  solutions? 

Jain:  Necessity  is  the  mother  of  invention. 
PIAM  has  only  recently  been  offered  as  a 
comprehensive  solution.  Quantum  Secure 
has  replaced  in-house  custom  solutions  with 
its  SAFE  system  in  most  of  its  customer  base. 
Those  companies  are  reaping  rich  rewards  of 
this  standardized  and  evolving  technology.  ■ 


Subsidizing  the  Future 


Corn. 

Sounds  tike  a  strange  topic  for  my  letter  to 
you  this  month,  doesn’t  it?  Well  actually  I  want 
to  talk  about  corn  subsidies. 

In  the  United  States  we  want  to  make  sure 
that  corn  farmers  continue  to  grow  corn,  so  the 
government  gives  farmers  cash  to  do  just  that. 

It  keeps  the  fields  full  of  corn  that  we  need 
to  feed  livestock  and  people,  and  to  produce 
ethanol.  We’ve  been  doing  it  for  years,  and  we 
continue  to  do  it  because  we  want  to  make  sure 
that  there  will  be  corn  there  at  harvest  time. 

It’s  about  planning  ahead  and  creating  subtle 
pressure  on  the  market-in  this  case  farmers- 
to  help  us  meet  demand  that  we  know  will  be 
there.  Simple  concept,  right? 

In  any  profession,  you  need  to  be  asking 
questions  about  the  future,  whether  that  future 
is  near-  or  long-term.  For  farmers,  the  question 
might  be,  “Do  I  plant  corn  or  alfalfa?"  Subsidies 
help  make  that  decision  easier  for  them. 

Growing  the  next  generation  of  IT  secu¬ 
rity  professionals  isn’t  all  that  different  from 
growing  corn.  Globally,  the  security  industry 
is  struggling  to  keep  up  with  the  demand  for 
skilled,  trained  IT  security  professionals.  Here 
in  the  United  States,  a  number  of  universities 
have  launched  degree  and  certificate  programs 
designed  to  do  just  that.  The  problem:  There's 
too  few  of  them  and  they  can’t  possibly  hope 
to  turn  out  enough  security  professionals  in  the 
next  few  years  to  meet  the  growing  demand. 

This  is  a  concern  that  CSOs  across  America 
have  told  me  about  frequently  and  with  in¬ 
creasing  fervor.  But  I  fear  that  these  complaints 
are  just  wasted  breath  until  our  educational 
institutions  start  to  focus  much  more  on  teach¬ 


ing  IT  security,  not  just  IT  (sans  the  security),  as 
a  profession.  To  make  that  happen,  we  need 
to  implement  the  equivalent  of  corn  subsidies 
for  security.  I'm  not  talking  about  throwing 


government  money  at  the  problem-1  mean  it 
metaphorically. 

All  of  you  should  exert  pressure  on  the  mar¬ 
ket  by  reaching  out  to  your  alma  maters  and 
the  colleges  and  universities  near  where  you  live 
and  work  and  cajole  them,  pressure  them  and 
plead  with  them  to  take  this  problem  to  heart 
and  help  solve  it.  You  also  have  to  let  kids  know 
that  IT  security  is  a  very  attractive  career  with 
great  prospects  and  good  compensation. 

It’s  easy  for  us  to  complain  about  the  short¬ 
age  of  good  IT  security  people.  It's  harder  to 
solve  that  problem.  Where  do  we  start? 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Advertiser  Index 

ASSA  ABLOY . 25 

CSO . 9,15,19,21 

Hewlett-Packard 

Development  Co.,  LP  . C3 


IBM  Corp . C2 

Quantum  Secure  Inc . 3 

RSA  &  Terremark . 7 


Tripwire  Inc . C4 

Tyco  Integrated  Securities . 5 


Executive  Committee 
President  &  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources  Patricia 
Chisholm 

SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  &  Custom 
Solutions  Group  Charles  Lee 
SVP,  Group  Publisher  &CMO  BobMelk 
SVP  &General  Manager,  Online 
Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager,  CIO 
Executive  Council  Pam  Stenson 
SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
Senior  National  Sales 
Manager  PerMelker 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Account  Director,  Integrated 
Sales  West  Mary  Hazelton 
Sales  Associate  Sarah  Nadeau 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Stacy  Bryne 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Holmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeskilglidglist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460.  ext.  100, 
cso@theygsgroup.com 


4  www.csoonline.com  NOVEMBER  2012 


Webb  Chappell 


ADT  Business  Solutions 

is  now 

'  •  *>uVs  v ■'• **  T  *  • 

tuca 

"  Integrated  Security 


Your  business  security  will  never  look 


sharper 


When  you  have  a  challenging  security  issue,  you  need  to  see  it  solved  quickly.  That's  why 
you  need  Tyco  Integrated  Security.  We  are  the  industry  leader  in  commercial  security,  with 
world-class  monitoring  centers  and  thousands  of  qualified  technicians.  But  what  really  separates 
us  is  our  personal  passion  for  helping  you  protect  your  business.  As  your  security  provider, 
we'll  help  you  create  powerful,  intuitive  security  solutions  that  are  customized  just  for  you. 
We'll  show  you  the  future  of  security,  so  you  can  focus  on  the  future  of  your  business. 

That's  sharper  thinking. 


ACCESS  CONTROL 


FIRE 


INTRUSION 


VIDEO 


— 

' 


www.TycolS.com  j  1.800. 2. TYCO. IS 


ft ■ 

V.  AW 


O  2 012  Tyco  Integrated  Security.  All  Rights  Reserved.  Tyco  and  Tyco  Integrated  Security  are;  marks  'fend/or  registered  marks. 
Unauthorized  use  is  strictly  prohibited.  All  other  marks  ar6  the  property  brtt)eiPlresp'ec,tive  owners. 


TOOLS  SYSTEMS 


NETWORKS 


DATA 


PRIVACY 


Stuck  in  the  BYOD  Briar  Patch 

There’s  no  preventing  people  from  using  personal  tech  for  work.  But  as  two 
CSOs  explain,  securing  these  devices  is  a  painful  process,  by  bill  brenner 


RICK  BLAISDELL  PROBABLY  UNDER- 
stands  the  challenges  of  bring-your-own- 
device  (BYOD)  programs  better  than  most.  As 
CSO  and  CTO  of  ConnectEDU,  he’s  accus¬ 
tomed  to  working  in  an  environment  where 
people  plug  into  the  network  and  access  data 
using  a  variety  of  computing  tools.  Still,  he 
says,  letting  people  do  these  things  with  their 
own  smartphones  and  tablets  adds  a  new 
level  of  risk. 

Td  like  to  offer  users  the  flexibility  to  use 
what  they  are  using,”  says  Blaisdell,  whose 


company  has  170  employees  and  keeps  add¬ 
ing  more.  “But  if  we  have  confidential  data  on 
their  devices,  we  need  certain  safeguards  in 
place  to  make  us  comfortable." 

And  so  it  goes  for  many  organizations. 
BYOD  is  a  trend  few  will  be  able  to  escape, 
and  most  shouldn't  even  bother  trying.  Re¬ 
search  giant  Gartner  recently  described  the 
rise  of  BYOD  programs  as  the  single  most 
radical  shift  in  the  economics  of  client  com¬ 
puting  for  business  since  PCs  invaded  the 
workplace.  Since  that's  the  case,  Gartner  says. 


every  business  needs  a  clearly  articulated  po¬ 
sition  on  BYOD.  even  if  it  chooses  not  to  allow 
it  for  now. 

“With  the  wide  range  of  capabilities 
brought  by  mobile  devices,  and  the  myriad 
ways  in  which  business  processes  are  being 
reinvented  as  a  result,  we  are  entering  a  time 
of  tremendous  change."  says  David  Willis, 
vice  president  and  distinguished  analyst  at 
Gartner. 

“The  market  for  mobile  devices  is  boom¬ 
ing,  and  the  basic  device  used  in  business 


6  u-ww. csoonltne.com  NOVEMBER  2012 


iStockphoto 


ADVERTORIAL 


Enterprises  Want 
Better  Visibility  with 
Cloud  Services 

SECURITY  WORRIES  HAMPER  CLOUD  UPTAKE,  RESEARCH 


Market 

Pulse 


SAYS 


IDG  Research  Services  recently  surveyed  132  senior 
IT  professionals  and  learned  that  enterprises  have  a 
significant  interest  in  improving  their  visibility  into  public 
cloud  services.  Security  concerns  emerged  as  the  biggest 
reason  for  this:  Organizations  want  to  be  able  to  see, 
track,  and  remediate  unauthorized  and  unwanted  activity, 
but  they  feel  their  ability  to  do  so  is  limited. 

The  growing  preoccupation  with  security  matters  is 
understandable.  Companies  are  now  paying  a  high  price 
to  battle  sophisticated  attacks  carried  out  by  organized 
cybercriminals,  in  addition,  governance,  risk,  and  compli¬ 
ance  (GRC)  initiatives  are  commanding  a  higher  priority 
than  ever  before  due  in  large  part  to  ever-increasing 
regulatory  burdens. 

At  the  same  time,  the  economic  attraction  of  public 
cloud  services  is  obvious.  Public  cloud  services  allow 
cost-conscious  companies  to  push  hefty  capital  expen¬ 
ditures  (capex)  into  usage-based,  pay-as-you-go  opera¬ 
tional  expenditures  (opex)  for  more  predictable  and 
easier  to  manage  IT  budgets. 

Many  IT  departments  perceive  that  getting  both 
the  cost  advantages  of  cloud  services  and  the  level  of 
security  visibility  they  require  is  beyond  their  reach— at 
least  at  this  time.  The  survey  revealed  a  significant  chasm 
between  the  level  of  cloud  service  visibility  that  is  avail¬ 
able  and  that  which  is  desired. 

That  gap  is  holding  back  public  cloud  service  deploy¬ 
ments.  Nearly  two-thirds  of  respondents  see  visibility 
limitations  as  a  cloud  adoption  roadblock.  About  the 
same  percentage  say  improvement  in  cloud  visibility 
would  increase  their  comfort  with  using  public  cloud 
services. 

»  Key  Survey  Findings 

Specifically,  IDG  Research  Services'  survey  revealed  the 
following  state  of  visibility  into  public  cloud  services: 


QSO  |£4!J  terremark 


•  Less  than  10  percent  of  respondents  are  "extremely 
confident"  in  the  adequacy  of  cloud  network  traffic 
visibility. 

•  There  is  a  significant  gap  between  what's  available 
and  what  IT  pros  need  when  it  comes  to  commercial 
visibility  capabilities. 

•  Security  is  the  biggest  driver  behind  enterprises' 
desire  for  better  cloud  visibility. 

•  Most  organizations  have  deployed  multiple  point 
solutions  for  cloud  visibility  and  lack  a  comprehensive 
view  of  network  activity,  resulting  in  fragmentation  and 
complexity. 

•  The  majority  of  respondents  are  making  it  a 
strategic  priority  to  get  better  cloud  visibility  during 
the  next  12  months. 

»  Takeaways 

IT  and  security  professionals  are  uneasy  about  the 
current  state  of  visibility  into  cloud  services.  Different 
cloud  providers  offer  different  levels  of  visibility,  which 
does  not  necessarily  suit  organizations  of  all  sizes, 
industries,  and  security  postures.  Most  organizations  are 
concerned  about  giving  up  network  visibility  because  of 
security  worries.  As  attacks  become  more  sophisticated 
and  GRC  programs  grow  tighter,  companies  stand  to  lose 
more  if  a  security  breach  should  occur. 

As  a  result,  more  than  three-quarters  of  the  IDG 
survey  respondents  are  making  the  improvement  of 
cloud  network  visibility  at  least  a  moderate  strategic 
priority  over  the  next  12  months.  They  believe  it  will  help 
them  prevent  unauthorized  behavior  by  sharpening  their 
ability  to  respond  to  threats  and  detect  data  leakage.  But 
assuring  their  organizations'  overall  competitive  posture 
is  their  ultimate  goal.  By  protecting  data,  senior  IT  profes¬ 
sionals  aim  to  prevent  customer  dissatisfaction,  reputa¬ 
tional  damage,  and  loss  of  business. 


For  more  information  or  to  see  the  entire  report,  visit 

www.csoonline.com/white-papers/rsa-terremark. 


Tech 


compared  to  those  used  by  consumers  is  con¬ 
verging.  Simultaneously,  advances  in  network 
performance  allow  the  personal  device  to  be 
married  to  powerful  software  that  resides  in 
the  cloud." 

It’s  no  easy  task.  ConnectEDU,  which  uses 
its  data  to  help  students  plan  for  college  and 
make  career  choices,  deals  with  more  than 
1,200  colleges  and  universities.  Data  is  locked 
down  tightly  in  Blaisdell’s  IT  shop  due  to  the 
mountain  of  regulations  the  company  must 
comply  with. 

“I’ve  locked  it  down  in  a  location,  whereas 
other  organizations  have  data  in  different 
places.  We  have  audit  trails,  and  only  a  hand¬ 
ful  of  people  can  access  data,”  he  says. 

Making  it  work  also  requires  that  employ¬ 
ees  take  on  a  lot  more  responsibility.  They 
must  sign  a  contract  pledging  that  their  de¬ 
vices  are  free  of  malicious  software,  and  they 
need  a  PIN  on  their  device.  Blaisdell’s  depart¬ 
ment  regularly  conducts  individual  audits  to 
ensure  the  PIN  is  there. 


employees  and  thousands  more  contrac¬ 
tors.  In  addition  to  its  hardcover  books,  the 
company  is  adding  more  online  journals  and 
databases  to  its  product  line.  More  than  800 
applications-including  220  mobile  apps- 
go  into  the  company’s  operations.  In  that 
environment,  enabling  BYOD  is  a  no-brainer, 
though  no  less  challenging.  The  infrastructure 
for  BYOD  is  in  place,  Cass  says,  but  the  policies 
need  work. 

“We’re  just  venturing  in,"  he  says.  “The  key 
for  us  is  making  sure  we  update  policies  to 
support  BYOD.  Legacy  policies  don’t  really 
cover  smartphones.  We  need  to  determine 
what  kind  of  data  and  apps  will  be  al¬ 
lowed,  and  we  need  a  tool  that  works  across 
devices.” 

Cass  agrees  with  Blaisdell  that  BYOD 
requires  a  lot  more  personal  responsibility 
among  the  members  of  the  workforce.  “You 
have  to  agree  to  give  up  some  privacy  to  get 
company  email  delivered  to  your  phone,” 
he  says.  “It’s  a  balancing  act.  Despite  that, 


“Legacy  policies  don’t  really  cover  smart¬ 
phones.  We  need  to  determine  what  kind 
of  data  and  apps  will  be  allowed,  and  we 
need  a  tool  that  works  across  devices.” 


-DAVID  CASS,  SENIOR  VICE  PRESIDENT  AND  CISO,  ELSEVIER 


“We  say  to  them:  If  you  are  using  a  device 
with  access  to  confidential  information,  no¬ 
body  else  can  use  that  device,”  he  says.  “That 
would  be  like  letting  someone  jump  on  your 
computer  at  the  office.” 

So  what  kind  of  data  is  allowed  on  em¬ 
ployee  devices?  For  now,  just  email.  And  in 
addition  to  the  data  lockdown,  Blaisdell  uses 
Security  Innovation  to  look  at  the  company 
code  base  and  educate  the  development 
team  about  vulnerabilities  to  ensure  more 
secure  code. 

Also  dealing  with  the  challenge  is  David 
Cass,  senior  vice  president  and  CISO  at  El¬ 
sevier,  one  of  the  largest  global  publishing 
companies  in  the  world,  with  8,000  full-time 


people  are  still  signing  up  because  they  want 
the  convenience.” 

Users  are  increasingly  looking  for  what 
could  be  called  the  Goldilocks  solution— nei¬ 
ther  too  much  security  nor  too  little-accord¬ 
ing  to  a  recent  study  conducted  by  Carnegie 
Mellon  University.  The  institution  asked  a 
small  group  of  mobile-device  users-those 
with  smartphones  and  tablets— about  how 
locked-down  their  devices  should  be.  Locked 
is  “too  hard,”  while  unlocked  is  “too  soft,”  the 
researchers  found.  The  just-right  solution? 
Setting  up  their  devices  so  that  “roughly  half 
their  applications  [are]  available,  even  when 
their  device  is  locked,  and  half  [are]  protected 
by  authentication." 


Bank  Hackers  May 
Be  Well-Funded 
Organization 

CYBERATTACKERS  WHO  Dis¬ 
rupted  the  websites  of  U.S.  banks 
in  late  September  used  a  high¬ 
ly  sophisticated  toolkit,  which 
points  to  the  attacks  being  part 
of  a  well-funded  operation,  one 
security  vendor  says.  Prolexic 
Technologies  says  the  distributed 
denial-of-service  (DDoS)  toolkit 
called  itsoknoproblembro  was 
used  against  some  of  the  affected 
banks,  including  Wells  Fargo,  U.S. 
Bank,  PNC  Bank,  Bank  of  America 
and  JPMorgan  Chase. 

Each  bank  was  struck  on  a  dif¬ 
ferent  day.  The  attackers,  who 
called  themselves  Izz  ad-Din  al- 
Qassam  Cyber  Fighters,  claimed  to 
be  hacktivists  angry  over  YouTube 
videos  made  in  the  United  States 
that  denigrated  the  prophet  Mu¬ 
hammad.  Security  vendors  have 
questioned  this  claim,  saying  the 
assaults  were  far  more  sophisti¬ 
cated  than  those  launched  by  typi¬ 
cal  hacktivists.  Prolexic’s  findings 
bolstered  that  belief.  The  toolkit 
used  is  capable  of  simultaneously 
attacking  components  of  a  web¬ 
site’s  infrastructure  and  its  appli¬ 
cation  layers,  flooding  the  target 
with  sustained  traffic  peaking  at 
70  gigabits  per  second.  Prolexic 
also  found  that  traffic  signatures 
were  unusually  complex  and  diffi¬ 
cult  to  reroute  away  from  targets. 

The  vendor  says  the  attackers 
likely  spent  months  probing  the 
sites  for  the  components  most 
susceptible  to  a  DDoS  assault. 

-Antone  Gonsalves 


8  www.csoonline.com  November  2012 


SECURITY  MEANS  BUSINESS 

The  best  security  projects  create  opportunities  for 
business  growth-entering  new  markets,  operating 
more  efficiently,  prioritizing  resources  and  fostering 
organizational  agility. 

The  CS040  Awards  will  recognize  40  security  initiatives 
for  outstanding  business  contributions.  Whether  it’s  a 
new  system,  new  processes,  or  a  novel  organizational 
approach,  we  want  to  know  about  your  best  work,  and 
how  you  measured  its  value  to  the  enterprise. 


APPLY 


Nominations  will  be  judged  by  a  panel  of  veteran  security  leaders 
and  industry  experts,  working  together  with  CSO’s  editors. 

APPLY  TODAY  AT  WWW.CSOCONFAB.COM 


ATTEND 


CS040  Award  honorees  will  be  recognized  at  the  CS040  Security 
Confab  +  Awards  event,  April  2-3, 2013  at  the  Chateau  Elan  Resort 
in  Atlanta,  GA.  This  event  is  security  leaders’  best  forum  for 
networking  and  exchanging  ideas  that  work. 


DON’T  BE  LATE1  THE  deadline  for  nominations 

IS  NOVEMBER  30TH,  2012! 


PRODUCED  BY 

cso 


lO  www.csoonline.com  NOVEMBER  2012 


ditional  security  measures  were  taken.  Some 
website  functions,  such  as  the  public  meeting 
agenda  postings,  are  still  not  working. 

“City  officials  didn’t  realize  that  the  ap¬ 
parent  breach  was  caused  by  the  security 
firm,  Utah-based  SecurityMetrics,  until  after 
90,000  letters  had  been  sent  to  people  who 
had  applied  for  city  jobs  or  made  crime  re¬ 
ports  online  over  the  past  decade,  warning . 
them  that  their  personal  identification  infor¬ 
mation  might  have  been  accessed. 

“The  mailing  cost  the  city  $20,000,  officials 
said.  The  letters  encouraged  those  contacted 
to  closely  monitor  their  credit  reports  for  sus¬ 
picious  activity.” 

Some  of  you  will  give  me  a  verbal  lashing  for 
this,  but  I  have  to  say  it:  I  feel  bad  for  Golliver. 

It  was  indeed  a  costly  false  alarm  for  the 
city,  but  isn’t  a  false  alarm  better  than  no 
alarm  when  the  real  attack  comes? 

There  are  different  angles  from  which  to 
explore  this.  On  the  one  hand,  you  could  argue 
that  there  can  be  no  mercy  for  the  guy  who 
sounds  a  false  alarm  because  the  city’s  repu¬ 
tation  was  twice  tarnished:  first,  when  the 
public  was  made  to  think  a  breach  happened, 
then  again  when  the  news  breaks  that  it  was 
a  false  alarm,  leaving  officials  with  egg  on 
their  faces.  But  one  could  also  argue  that  the 
incident  response  worked  as  designed,  going 
off  at  the  first  sign  of  trouble. 

Of  course,  it  does  look  foolish  when  you 
see  abnormal  activity  and  don’t  check  first  to 
see  if  it’s  from  the  company  you  hired  to  test 
network  defenses. 

That  should  be  a  valuable  lesson  for  Golliv¬ 
er  going  forward,  whether  he  gets  his  job  back 
or  ends  up  someplace  else. 

I  can  see  him  giving  a  presentation  on  what 
happened  and  what  he  learned  to  a  packed 
audience  at  some  future  security  conference. 

My  hope  is  that  this  doesn’t  turn  out  to 
be  a  career-killer  for  the  man.  As  zany  as  this 
was,  the  department  was  just  doing  what  it 
thought  was  right  at  the  time. 

Money  was  wasted,  sure,  but  I’ll  bet  that 
if  you  examined  the  city  of  Tulsa’s  balance 
sheets  (or  those  of  any  other  organization), 
you’d  find  a  lot  more  money  wasted  on  things 
far  more  outlandish. 


Tech 

Bill  Brenner,  managing  editor 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


SALTED  HASH 


Tulsa  CIO’s  False  Alarm 
Could  Happen  to  Anyone 


TULSA  CIO  TOM  GOLLIVER  IS  ON  PAID 
administrative  leave  after  the  city’s  response 
to  a  data  breach  turned  out  to  be  a  false 
alarm.  What  happened  there  could  happen 
anywhere. 

Golliver  kind  of  reminds  me  of  Chief  Brody 
in  the  second  Jaws  movie.  He  sees  what  he 
thinks  is  a  great  white,  yells  at  everyone  to  get 
out  of  the  water,  and  fires  away  at  what  turns 
out  to  be  a  school  of  bluefish. 

In  this  case,  the  shark  Golliver  saw  was  an 
apparent  data  breach,  and  the  school  of  blue- 
fish  was  a  security  company  that  was  merely 
testing  the  city's  network  for  holes. 

The  comparison  ends  there.  Unlike  in  the 
movies,  it’s  far  from  certain  that  the  real  men- 
ace-an  actual  breach-will  ever  surface  to 


vindicate  Golliver  as  the  shark  did  for  Brody. 

By  all  accounts,  the  city  seems  to  be  doing  the 
right  things  as  it  investigates  what  happened. 
Here’s  the  basic  story  from  Tulsa  World,  a  local 
paper: 

“Tulsa's  chief  information  officer,  Tom 
Golliver,  was  placed  on  paid  administrative 
leave  Monday  after  it  was  revealed  that  the 
city's  website  hadn’t  been  hacked  after  all.  A 
third-party  security  firm  that  was  hired  to  do 
periodic,  unannounced  tests  of  the  city’s  net¬ 
works  for  vulnerabilities  used  an  ‘unfamiliar 
testing  procedure’  last  month  that  city  IT  per¬ 
sonnel  misinterpreted  as  an  unknown  breach, 
according  to  a  city  statement.  The  city's 
website  was  offline  for  more  than  two  weeks 
as  an  investigation  was  conducted  and  ad¬ 


Erica  Chang 


WISDOM  WATCH 


Did  Iran  Really  Suffer  a  Cyberattack? 

IRAN’S  CLAIM  THAT  ITS  DOMESTIC  INTERNET  SYSTEM  SUFFERED  A  SLOW- 
down  due  to  a  serious  cyberattack  could  be  accurate,  but  experts  say  they  can’t  know  for  sure 
without  a  lot  more  details. 

Mehdi  Akhavan  Behabadi,  secretary  of  Iran’s  High  Council  of  Cyberspace,  told  the  state  news 
agency  that  Internet  access  across  the  country  was  disrupted  by  an  attack  with  traffic  of  several 
gigabytes,  Reuters  reported. 

Iran’s  government  moved  the  country  last  month  onto  a  domestic  Internet,  claiming  it  need¬ 
ed  better  cybersecurity. 

“Presently  we  have  constant  cyberattacks  in  the  country,”  Behabadi  says.  “Recently  an  attack 
with  a  traffic  of  several  gigabytes  hit  the  Internet  infrastructure,  which  caused  an  unwanted 
slowness  in  the  country’s  Internet." 

Whether  the  attack  was  real  is  hard  to  determine.  Darren  Anstee,  lead  solutions  architect  for 
cyberattack  mitigation  company  Arbor  Networks,  says  he  did  not  see  much  change  in  traffic  to 
Iran  over  a  weeklong  period  in  October.  However,  he  acknowledged  that  his  company’s  view  was 
limited.  Behabadi’s  comments  were  puzzling  because  attacks  are  usually  described  in  terms  of 
gigabits  per  second,  not  gigabytes,  which  is  a  much  larger  unit  of  measure.  “It  really  looks  like  it 
was  taken  out  of  context,”  Neal  Quinn,  chief  operating  officer  of  Prolexic,  says  of  the  Iranian  offi¬ 
cial’s  quote.  “It  also  looks  like  it  has  been  translated  from  another  language.  Both  of  those  things 
together  make  it  really,  really  hard  to  draw  any  good  conclusions  about  what  was  being  said." 

An  infrastructure  attack  aimed  at  routers,  firewalls  or  load-balancers  could  cause  the  kind 
of  disruption  described  by  Behabadi,  Quinn  says.  However,  Iran  is  not  the  only  country  that  has 
built  a  domestic  Internet  to  filter  content  from  the  public  Web.  China  has  the  most  extensive 
such  network  and  has  not  reported  nationwide  problems  from  cyberattacks. 

Michael  Smith,  a  security  evangelist  for  Akamai,  says  small  countries  that  do  Internet  filtering 
are  more  prone  to  outages,  particularly  if  they  have  limited  Internet  capacity.  "They  have  an  ad¬ 
ditional  fail  point  in  the  servers  they  are  using  to  do  content  filtering,"  he  said  in  an  email. 

Behabadi  said  attacks  against  the  nation’s  Internet  infrastructure  are  organized  and  targeted 
at  the  country's  nuclear,  oil  and  information  networks.  For  some  time,  Western  nations  have 
been  accusing  Iran  of  pursuing  a  nuclear  program  bent  on  building  an  atomic  bomb.  Iran  claims 
its  uranium  enrichment  facilities  are  for  creating  fuel  for  power  plants. 

In  2010,  several  Iranian  nuclear  facilities  were  struck  by  the  Stuxnet  computer  malware,  which 
experts  believe  damaged  centrifuges  used  to  enrich  uranium.  The  New  York  Times  reported  that 
the  United  States  and  Israel  were  behind  the  attack.  Israel  has  warned  that  if  Iran  does  not  halt 
its  nuclear  program,  Israel  will  respond  with  a  military  strike.  -Antone  Gonsalves 


Leaders  and 
Lightweights 

Tulsa  CIO  Tom 
Golliver.  The  city  sus¬ 
pended  him  pending  an  investiga¬ 
tion  after  the  data  breach  his  team 
reported  turned  out  to  be  a  test 
performed  by  a  security  contractor. 
Golliver  jumped  the  gun  and  cost  the 
city  money.  But  doing  something 
was  better  than  doing  nothing. 

Sophos.  The  vendor  deserves 
credit  for  owning  up  to  a 
failure  recently.  Customers  reported 
that  Sophos  antivirus  software  was 
detecting  the  Shh/Updater-B  mal¬ 
ware  when  it  wasn’t  really  there. 
Sophos  issued  a  fix,  then  did  more:  It 
admitted  in  its  Naked  Security  blog 
that  this  was  a  false  positive. 

Mark  Weatherford  at  the 
Department  of  Homeland 
Security.  It’s  refreshing  to  see 
Weatherford,  DHS’s  undersecretary 
of  cybersecurity,  looking  for  help  in 
new  places.  During  the  recent  CSO 
Security  Standard  conference,  he 
noted  that  the  best  talent  doesn’t 
always  come  with  a  college  degree. 
“There  are  people  out  there  who 
didn’t  go  to  college,  but  they  spent 
much  of  their  time  breaking  things 
and  putting  them  back  together,” 
and  DHS  needs  their  help,  too. 

Congress.  A  lot  of  industry 
leaders  have  groused  about 
Congress’  inability  to  pass  a  cyber¬ 
security  bill,  but  there  is  an  upside 
in  its  failure  to  act:  The  legislation 
that  was  on  the  table  was  loaded 
with  pork  that  would  do  nothing  to 
improve  things  and  would  in  fact 
threaten  our  civil  liberties.  -B.B. 


November  2012  www.csoonline.com  11 


Tech 


Don’t  Trust  Chinese  Telecom  Manufacturers, 
Congressional  Report  Advises  U.S.  Companies 


A  HOUSE  COMMITTEE  REPORT 
found  that  telecom  equipment  manufac¬ 
turers  Huawei  and  ZTE  pose  a  cyberespio¬ 
nage  threat  to  U.S.  communications,  and 
experts  say  the  report  raises  legitimate 
concerns  and  signals  a  more  aggressive  ap¬ 
proach  toward  China. 

The  House  Intelligence  Committee 
recommended  that  the  U.S.  government 
and  corporations  not  do  business  with  the 
companies,  saying  that  it’s  impossible  to 
guarantee  that  their  products  would  be  free 
from  spyware.  Experts  believe  China  is  a 
hotbed  of  cyberespionage  activity. 

Huawei  and  ZTE  deny  the  allegations, 
with  Huawei  claiming  the  panel’s  findings 
were  based  on  “rumors  and  speculations.” 
Huawei,  the  world’s  second-largest  supplier 
of  telecom  networking  gear,  says  the  com¬ 
mittee’s  11-month  investigation  “provided 
no  clear  information  to  substantiate  the 
legitimacy  of  the  committee’s  concerns.” 

But  experts  believe  the  report  raised 
important  points.  “I  don’t  think  there’s  an 
immediate  threat  to  the  level  that  as  soon 
as  Huawei  equipment  is  installed  in  the 
[United  States],  American  data  will  begin 
to  be  harvested,”  IDC  analyst  John  Grady 
said  in  an  email.  “Rather  it’s  the  longer  view 
towards  what  could  potentially  happen, 
which  I  think  is  a  valid  concern.” 

Dave  Aitel,  chief  executive  of  penetra¬ 
tion-testing  company  Immunity  and  a 
former  research  scientist  for  the  National 
Security  Agency,  says  the  committee’s  re¬ 
port  indicated  that  the  government  was 
taking  a  stronger  stance  against  cyberes¬ 
pionage  emanating  from  China. 

“You’re  starting  to  see  the  [U.S.]  govern¬ 
ment  get  much  more  activist  with  this,”  he 
says.  “I’d  say  software  vendors  are  next.  If 
they  catch  a  software  vendor  doing  similar 
things,  they’re  going  to  blackball  them.” 

The  committee  report  claimed  that 


Huawei  and  ZTE  did  not  provide  enough 
detailed  information  or  internal  documen¬ 
tation  to  convince  the  panel  that  their  re¬ 
lationship  with  Chinese  authorities  did  not 
pose  a  threat  to  the  nation’s  communica¬ 
tions  infrastructure. 

“Based  on  available  classified  and  un¬ 
classified  information,  Huawei  and  ZTE 
cannot  be  trusted  to  be  free  of  foreign  state 
influence  and  thus  pose  a  security  threat  to 
the  United  States  and  to  our  systems,”  the 
report  said. 

The  Department  of  Defense  (DoD)  has 
claimed  that  China  is  home  to  “the  world’s 
most  active  and  persistent  perpetrators  of 
economic  espionage.” 

“Chinese  attempts  to  collect  U.S.  tech¬ 
nological  and  economic  information  will 
continue  at  a  high  level  and  will  represent 
a  growing  and  persistent  threat  to  U.S.  eco¬ 
nomic  security,”  the  DoD  said  in  a  report  to 
Congress  this  year. 

China  has  denied  the  allegations,  and 
Huawei  says  there  is  no  proof  that  it’s 
involved  in  cyberespionage.  “The  report 
released  by  the  Committee  today  employs 
many  rumors  and  speculations  to  prove 
nonexistent  accusations,”  Huawei  says. 

Huawei  claimed  the  report  was  an  excuse 
to  prevent  the  companies  from  compet¬ 
ing  in  the  U.S.  market.  “We  have  to  suspect 
that  the  only  purpose  of  such  a  report  is 


to  impede  competition  and 
obstruct  Chinese  [information 
and  communications  technol¬ 
ogy]  companies  from  entering 
the  U.S.  market,”  the  company 
says. 

Grady  acknowledged  that 
competition  between  U.S. 
and  Chinese  tech  companies 
couldn’t  be  discounted. 

“I  do  think  that  a  lot  of  this 
is  driven  by  the  fact  that  it’s 
China,”  he  said.  “We  can  point  to  many  ex¬ 
amples  of  ties  between  network  or  security 
companies  and  militaries  and  governments 
around  the  world,  but  those  militaries  and 
governments  aren’t  China,  so  reports  like 
this  haven’t  been  written.” 

ZTE,  the  world’s  fourth-largest  mobile 
phone  maker,  says  the  committee’s  finding 
that  it  may  not  be  “free  of  state  influence” 
could  apply  to  any  company  operating  in 
China.  Nevertheless,  there’s  still  a  risk  in 
working  with  companies  like  Huawei  and 
ZTE  because  a  government  plant  could 
insert  spyware  within  firmware  that  would 
still  pass  regression  testing  by  a  quality  as¬ 
surance  team,  Aitel  says. 

“In  this  case,  the  American  government 
is  worried  about  Chinese  major  manu¬ 
facturers  from  the  top  down  targeting 
particular  segments  of  the  United  States 
infrastructure,”  he  says. 

Huawei  has  signif  icant  portions  of  the 
worldwide  enterprise  and  carrier  markets 
for  networking  equipment.  The  company  is 
strongest  in  Asia  and  Europe,  but  is  not  an 
important  player  in  the  United  States,  Gart¬ 
ner  analyst  Kathie  Hackler  says. 

The  committee  report  could  damage  ef¬ 
forts  the  company  has  made  recently  to  in¬ 
crease  U.S.  sales,  if  the  classified  evidence 
the  panel  has  is  made  public  and  is  proven 
to  be  true.  -A.G. 


12  www.csoonline.com  NOVEMBER  2012 


iStockphoto 


Malware  Casts  a  Wide  Net 


MALWARE  PURVEYORS  ARE 
now  primarily  in  the  mass-distri¬ 
bution  business. 

That  has  been  the  trend,  and 
managed  security  services  provid¬ 
er  Solutionary  confirms  it.  Among 
the  key  findings  of  the  company’s 
third-quarter  report  was  that 
of  the  malware  it  analyzed,  92 
percent  was  mass-produced.  But 
that  does  not  mean  that  targeted 
attacks  have  ceased,  says  Don 
Gray,  chief  security  strategist  at 
Solutionary. 

“If  you’re  the  target,  that’s  a 
huge  problem,”  Gray  says,  but  in 
general,  for  cybercriminals  in  the 
malware  business,  “the  wider  the 
net  you  can  cast,  the  better.” 

The  report  says  the  major¬ 
ity  of  mass-distributed  malware 
samples  were  banking  Trojans, 
malware  that  uses  man-in-the- 
browser  keystroke  logging  to 
steal  victim's  bank  account  in¬ 
formation  so  that  it  can  later  be 
used  to  make  fraudulent  charges. 

Improvements  to  man-in- 
the-browser  attacks  are  a  factor 
in  the  mass-production  trend. 


Security  vendor  Trusteer  reported 
last  month  that  it  had  discovered 
a  “universal”  man-in-the-browser 
attack,  one  that  is  not  limited 
to  targeting  specific  websites. 
Instead,  any  time  an  infected  user 
visits  a  website,  the  malware  rec¬ 
ognizes  form  fields  such  as  those 
for  names,  addresses,  credit  card 
numbers  and  passwords. 

It  also  extracts  the  valuable 
data  in  real  time,  eliminating  the 
need  for  “post  processing,”  where 
hackers  sift  through  the  logs  to 
find  usable  information. 

Solutionary  says  the  most 
common  method  of  delivery  for 
the  banking  Trojans  is  phish¬ 
ing  emails  claiming  to  be  from 
legitimate,  trusted  brands  by 
impersonating  messages  such  as 
UPS  delivery  confirmations,  Bet¬ 
ter  Business  Bureau  complaints, 
flight  ticket  confirmations  and 
scanned  documents. 

“Once  victims  are  lured  to 
compromised  websites,  their 
browsers  were  redirected,  unbe¬ 
knownst  to  them,  to  a  Blackhole 
Exploit  Kit  landing  page,  which 


then  installed  additional  mal¬ 
ware,”  the  report  says. 

The  Blackhole  exploit  kit  has 
also  been  improved  recently- 
version  2.0  was  introduced  last 
month  on  the  Russian  site  Mal¬ 
ware  Don’t  Need  Coffee.  The 
toolkit,  which  is  popular  among 
cybercriminals,  contains  several 
new  features  meant  to  prevent 
detection  by  antivirus  software. 
One  of  the  most  effective,  ac¬ 
cording  to  experts,  is  the  ability 
to  generate  short-term,  random 
URLs  pointing  to  malicious  web¬ 
sites  or  hijacked  sites  that  con¬ 
tain  hacker-installed  malware. 
That  makes  identifying  malicious 
pages  much  more  difficult. 

“It’s  less  detectable-more 
stealthy  and  less  obtrusive,” 
says  Gray.  “It  sort  of  steps  up 


the  game.”  Blackhole  2.0  also 
includes  support  for  Microsoft’s 
Windows  8.  “They’ve  broadened 
the  base,”  he  says. 

That  would  at  least  partially 
explain  another  major  finding 
from  Solutionary’s  researchers, 
which  is  that  antivirus  solutions 
were  unable  to  detect  60  percent 
of  malware  in  the  wild. 

“That’s  probably  a  very  conser¬ 
vative  estimate,”  Gray  says.  “With 
all  the  investment  and  sophisti¬ 
cation  put  into  antivirus,  it’s  not 
getting  the  job  done.” 

Gray  says  that  while  antivirus 
products  should  still  be  a  part  of 
a  layered  security  system,  and 
while  he  is  also  a  fan  of  applica¬ 
tion  white-listing,  these  things 
alone  are  still  not  enough. 

-Taylor  Armerding 


Sophos  Admits  Bad  Update  Slammed  Customers 


SECURITY  FIRM  SOPHOS  APOLO- 
gized  for  wreaking  havoc  on  customers’ 
networks  after  a  faulty  update  caused  its 
antivirus  software  to  give  false  positives  for 
certain  malware  on  Windows  computers. 

“We  would  like  to  apologize  for  all  the 
disruption  caused  to  our  many  customers 
worldwide,"  Sophos  said  in  a  statement 
after  the  September  incident.  “We  recognize 
the  issue  is  very  serious,  and  are  doing  ev¬ 


erything  we  can  to  resolve  it.” 

Sophos  says  in  a  critical  advisory  that  it 
thinks  the  problem  was  caused  by  a  release 
from  SophosLab  for  use  with  its  Live  Protec¬ 
tion  system.  Although  the  company  issued 
a  corrective  update,  it  says  it’s  conducting 
a  “full  investigation”  to  determine  how  this 
happened  and  to  ensure  it  doesn’t  happen 
again,  and  it  expects  to  provide  more  infor¬ 
mation  shortly  about  the  issue. 


In  its  advisory,  Sophos  notes  that  users 
affected  by  the  faulty  update  would  see 
symptoms  such  as  the  software  reporting 
that  it  had  detected  malware  called  Shh  or 
Updater-B.  Sophos  added  that  other  mech¬ 
anisms  may  not  be  functioning  correctly, 
and  that  the  Sophos  shield  icon  may  disap¬ 
pear,  which  could  be  a  sign  that  the  installa¬ 
tion  is  corrupted. 

-Ellen  Messmer 


NOVEMBER  2012  www.csoonline.com 


What’s  Your  Total  Cost  of  Risk? 

It’s  time  for  you  to  start  working  with  insurance  managers  by  michael  fitzgerald 


WHAT'S  YOUR  TOTAL  COST  OF  RISK 
(TCOR)?  If  you  don’t  know,  you  need  a  better 
connection  to  your  company’s  risk  manag¬ 
ers,  who  measure  risk  by  what  can  be  insured 
and  what  it  costs  to  do  so.  While  the  mea¬ 
surement  of  operational  risks  is  still  a  bit  of 
a  puzzle  for  CSOs,  risk  managers  have  used 
TCOR  for  ages. 

In  the  digital  and  compliance  age,  CSOs  are 
being  better  integrated  into  the  risk  manage¬ 
ment  and  measurement  process,  says  David 
Bradford,  the  man  who  leads  the  survey  that 


establishes  a  key  measure  of  risk  insurance: 
the  RIMS  Benchmark  Survey,  from  the  Risk 
and  Insurance  Management  Society.  Bradford 
is  president  of  the  research  and  editorial  divi¬ 
sion  of  Advisen,  which  conducts  the  annual 
survey  on  behalf  of  RIMS.  Risk  managers  use 
the  benchmark  to  see  if  they're  paying  too 
much  for  their  insurance. 

But  as  the  discipline  of  risk  management 
is  evolving,  so  too  is  the  calculation  of  TCOR. 
The  measure  is  now  expanding  to  include 
less  tangible  costs,  like  lost  productivity. 


Bradford  spoke  with  CSO  about  the  changing 
landscape. 

CSO:  How  do  you  assess  the  total  cost 
of  a  company’s  risk? 

Bradford:  The  concept  is  maybe  a  little 
deceptive  when  you  say  “total  cost  of  risk."  It’s 
the  total  cost  of  things  risk  managers  are  re¬ 
sponsible  for.  The  idea  has  been  around  since 
the  1940s  or  '50s.  The  way  we  traditionally 
define  it  for  purposes  of  the  RIMS  Benchmark 
survey,  it’s: 

■  the  cost  of  insurance 


14  www.csoonline.com  November  2012 


CSO  Forum  on  Linked  0 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum" 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 


■  Risk 


■  plus  the  cost  of  the  losses  that  are  retained 
instead  of  or  as  part  of  your  organization- 
for  example,  risks  the  policy  doesn’t  cover, 
or  a  company’s  deductible 

■  and  the  administrative  costs  of  the  risk 
management  department 

That  definition  continues  to  be  useful.  But 
now  you  have  to  think  about  strategic  risk,  op¬ 
erational  risk,  your  information  security  risk— 
it  gets  to  be  a  fairly  massive  cost.  And  you 
have  to  figure  out  how  to  benchmark  yourself 
against  other  organizations. 

What  was  the  big  takeaway  from  this 
year’s  benchmark? 

The  total  cost  of  risk  relative  to  insurance 
operations,  after  going  down  for  a  few  years 
in  a  row,  edged  back  up  this  past  year.  The 
cost  of  insurance  is  driven  in  large  measure  by 
how  much  capital  there  is  inside  the  insurance 
industry.  Capital  is  equivalent  to  supply.  If  you 
have  a  lot  of  capital,  you  have  a  lot  of  sup¬ 
ply,  and  the  insurance  industry  been  awash  in 
supply  since  about  2004.  This  past  year,  the 
supply  of  capital  is  still  high,  but  the  financial 
performance  of  the  industry  was  so  dismal 
that  they  started  to  put  the  brakes  on  rate  de¬ 
creases,  so  the  cost  of  risk  rose  marginally. 

From  RIMS’  perspective,  who  is  a  risk 
manager? 

There’s  typically  somebody  with  that  title 
in  larger  organizations,  and  their  role  is  to  look 
at  the  types  of  risks  that  can  be  insured.  They 
make  the  decision  on  whether  something  can 

“We’re  looking  at 
things  like  brand  and 
reputation  issues  in 
addition  to  your  hard 
costs.  Risk  managers 
are  being  questioned 
about  the  soft  costs, 
the  intangibles.” 

-DAVID  BRADFORD,  PRESIDENT 
OF  THE  RESEARCH  AND 
EDITORIAL  DIVISION,  ADVISEN 


be  insured  and  go  out  and  purchase  [that 
policy]. 

In  a  healthcare  organization  they  have 
clinical  responsibilities;  in  a  bank  they  have 
financial  responsibilities. 

Not  necessarily  a  CSO? 

Not  traditionally,  but  everything’s  changing 
now.  A  lot  of  organizations  are  looking  at  in¬ 
formation  security  from  the  standpoint  of  an 
enterprisewide  problem  or  solution.  The  risk 
manager  becomes  part  of  an  interdepartmen¬ 
tal  team  headed  by  a  CISO. 

How  is  the  RIMS  benchmark  changing? 

We’re  looking  at  the  more  expansive  view 
of  risk,  how  people  are  thinking  about  risk 
and  what  constitutes  the  real  costs  of  risk  in 
a  changing  world.  We’re  looking  at  things  like 
brand  and  reputation  issues  in  addition  to  your 
hard  costs.  Risk  managers  are  being  questioned 
about  the  soft  costs,  the  intangibles. 

We  are  just  now  developing  awareness  that 
the  traditional  view  of  cost  of  risk  is  not  nec¬ 
essarily  going  to  be  as  useful  in  the  future. 

What’s  driving  these  changes? 

We've  been  creating  this  book  [the  bench¬ 
mark]  for  years  and  assuming  the  industry 
was  satisfied  with  the  definition  of  the  total 
cost  of  risk,  but  had  never  tested  that  premise. 
A  couple  of  years  ago  we  did  a  supplemental 
survey  of  risk  managers  and  asked  them  what 
sort  of  additional  factors  are  being  incorpo¬ 
rated  into  their  thinking. 

We  gave  them  a  list  of  different  categories 
of  risk.  IT  risk  only  made  it  into  the  equation 
for  10  percent  of  the  respondents. 

How  many  companies  buy  insurance 
for  cybersecurity? 

There's  a  thriving  market  for  insuring 
against  cyberfraud  and  hacking.  We  just  com¬ 
pleted  a  survey  and  I  believe  that  close  to  40 
percent  of  larger  organizations  now  buy  [this 
type  of  insurance]. 

Does  the  TCOR  metric  matter  to  CSOs 
andCISOs? 

I  think  so.  Obviously  for  CSOs,  risk  is  the 
thing  they're  battling  against.  If  you  get  into 
brand  and  reputation  issues  in  addition  to  your 
hard  costs,  there's  got  to  be  some  way  to  say, 
“Here’s  what  we’re  spending  on  managing  risk, 
and  here’s  the  benefit  we’re  getting  from  it." 


BY  THE  NUMBERS 


Benchmarks  for  Total 
Cost  of  Risk  (TCOR) 

$10.19 

per  $1,000  of  revenue. 
Average  TCOR  for  all 
surveyed  companies  in  2011 

1.7% 

Increase  in  average  TCOR 
from  2010  levels 

9% 

Increase  in  cost  of  property 
premiums  in  2011 

“Globally,  2011  was  a 
near-record  year  for 
insured  catastrophe 
losses.  As  a  result, 
the  price  of  prop¬ 
erty  insurance  cov¬ 
erage  increased  for 
many  insureds....This 
was  one  of  the  most 
significant  reasons 
TCOR  grew  in  2011” 

-DAVE  BRADFORD,  EDITOR 
IN  CHIEF,  THE  RIMS  SURVEY 

Source:  2012  RIMS  Benchmark  Survey 


16  www.csoonline.com  November  2012 


Damir  Sagol)/Reuters 


Working  the  Kinks  Out  of  Your  Supply  Chain 


RESILIENCE,  SPEED  AND  VISIBILITY. 
Those  are  three  magic  words  that  make  any 
supply  chain  manager’s  ears  perk  up. 

And  Scott  Byrnes  can  explain  the  con¬ 
nections  between  them.  Byrnes  is  vice  pres¬ 
ident  of  marketing  at  Amber  Road,  which 
makes  software  to  manage  global  trading, 
and  he  has  interesting  tales  to  tell  about 
how  customers  are  looking  at  their  supply 
chains  today,  given  the  ever-more-intercon¬ 
nected  nature  of  commerce. 

“Think  of  the  flooding  in  Thailand,  the 
volcano  in  Iceland  and  the  tsunami  in 
Japan.  Those  three  things  shut  down  a  lot 
of  people’s  supply  chains,”  Byrnes  says.  “A 
disaster  in  what  might  formerly  be  consid¬ 
ered  a  remote  part  of  the  world  now  im¬ 
pacts  everybody." 


As  a  result,  resilience  has  risen  up  the 
ladder  of  corporate  concerns,  with  manu¬ 
facturers  and  buyers  looking  to  diver¬ 
sify  their  supplier  bases  and  modes  of 
transportation. 

When  the  Eyjafjallajokull  volcano  erupt¬ 
ed  in  April  2010,  critical  air  routes  around 
Europe  were  closed.  “The  companies  that 
responded  fastest  secured  the  excess  [alter¬ 
native]  transportation  capacity-by  rail,  for 
example— that  was  available.  So  the  leaders 
locked  those  channels  down  pretty  quickly 
and  shut  everybody  else  out,"  Byrnes  says. 

When  it  comes  to  getting  visibility  into 
process,  Byrnes  relates  the  story  of  one 
pharmaceuticals  company  that  started 
looking  into  supply  chain  problems  in 
regards  to  customer  service  problems. 


The  company  found  that  a  number  of  its 
supply  chain  partners  were  consistently 
providing  inflated  lead  times-a  common 
practice  that  suppliers  use  to  avoid  miss¬ 
ing  deadlines  or  being  unable  to  meet  a 
spike  in  demand.  However,  the  result  for 
the  pharmaceutical  company  was  an  extra 
$100M  million  of  inventory  stuffed  in  the 
chain.  (This  is  called  the  “bullwhip  effect,” 
in  industry-speak.) 

Initiatives  that  improve  security  in  the 
supply  chain  can  often  yield  other  business 
benefits:  See,  for  example,  “How  to  Im¬ 
prove  Supply  Chain  Security  (The  Trick  Is  to 
Keep  It  Moving),”  from  CSO's  special  Global 
Security  issue  back  in  2004  ( www.csonline 
.com/article/219649) . 

-Derek  Slater 


November  2012  www.csoonline.com  17 


A  ship  swept  Inland  by  the 
tsunami  in  Kesennuma, 


Miyagi  Prefecture,  Japan. 


Remaking  Risk  Management 

ENTERPRISE  RISK  MANAGEMENT  (ERM)  IS  SHAKING  THE  CORPORATE 
world-perhaps  because  the  world  is  shaking  up  ERM. 

A  study  conducted  this  spring  by  Deloitte  and  Forbes  Insights  finds,  for  starters,  that  an  as¬ 
tonishing  91  percent  of  respondents  plan  to  reorganize  and  re-prioritize  risk  management  over 
the  coming  three  years.  Planned  changes  included: 

■  elevating  the  function  within  the  organization  (52  percent) 

■  reorganizing  processes  (39  percent) 

■  providing  additional  training  for  staff  (37  percent) 

■  incorporating  new  technology  (31  percent) 

■  integrating  ERM  into  strategic  planning  (28  percent) 

Why  all  the  turmoil?  ERM  programs  are  changing  in  response  to  a  variety  of  forces.  These 
stimuli  include  market  volatility,  regulatory  changes,  and  even  the  rise  of  social  media-which 
is  the  fourth-most-commonly  cited  source  of  risk  in  the  survey.  Overall,  the  Deloitte  study  notes 
that  companies  have  “less  tolerance  for  volatility  and  less  tolerance  for  surprises"  in  the  wake  of 
ongoing  global  financial  challenges,  as  articulated  by  one  of  the  survey  participants. 

The  response  base  comprised  three  broad  industry  groupings:  life  sciences  and  healthcare, 
consumer  and  industrial  products,  and  telecom.  Interestingly,  when  asked  about  their  preferred 
outcomes  of  ERM  efforts,  life  sciences  companies  were  more  likely  to  be  concerned  about  com¬ 
pliance  with  regulatory  changes;  respondents  from  the  other  two  industries  were  more  focused 
on  improving  revenue  growth. 

In  our  observation,  security  pros  (and  associations  and  vendors)  are  prone  to  shave  off  their 
piece  of  the  risk  management  pie,  dubbing  their  disciplines  security  risk  management,  informa¬ 
tion  risk  management,  and  so  on.  These  naming  conventions  can  provide  focus,  but  may  also 
foster  the  development  of  functions  that  are  out  of  sync  with  broader  ERM  initiatives. 


What  do  you  believe  are  the  biggest 
challenges  you  face  to  effectively 
manage  risk?  Top  Answers: 


■  28%  27%  26%n3^n2% 


People  are 
unaware  of  what 
they  need  to  do 
concerning  risk 

Cost  and 
budgetary 
constraints 

Incentives  do  not 
reward  making 
risk-based 
decisions 

Inadequate 
information  to 
make  risk-based 
decisions 

Lack  of  clarity  of 
risk  roles  in  the 
organization 

Note:  Respondents  could  choose  more  than  one  answer. 

THE  SECURITY  WORLD  is  awash 
in  certifications.  But  the  profession 
doesn’t  stand  alone  in  that  regard. 
Here  are  three  certifications  offered 
to  professional  risk  managers. 

Professional  Risk  Manager  is 
issued  by  the  Professional  Risk 
Managers’  International  Association 
(PRMIA).  Certification  requires  pass¬ 
ing  four  separate  exams: 

■  Finance  Theory,  Financial 
Instruments  and  Markets 

■  Mathematical  Foundations  of 
Risk  Measurement 

■  Risk  Management  Practices 

■  Case  Studies,  PRMIA  Standards 
of  Best  Practice,  Conduct  and 
Ethics,  Bylaws 

Associate  in  Risk  Management  is 
issued  by  the  American  Institute  for 
Chartered  Property  Casualty  Under¬ 
writers.  It  focuses  on  financial  risk 
management  through  insurance: 

“The...program  helps  you  en¬ 
hance  your  risk  management  skills 
by  teaching  you  how  to  build  and 
implement  a  balanced  risk  financing 
strategy  using  retention,  transfer, 
and  hybrids.” 

Financial  Risk  Manager  is  issued  by 
the  Global  Association  of  Risk  Pro¬ 
fessionals.  This  certification  com¬ 
prises  two  exams: 

■  Part  I  covers  the  tools  used  to  as¬ 
sess  financial  risk:  quantitative 
analysis,  fundamental  risk-man¬ 
agement  concepts,  financial  mar¬ 
kets  and  products,  and  valuation 
and  risk  models. 

■  Part  II  focuses  on  using  the  tools 
from  Part  I  in  a  deeper  dive  into 
market,  credit,  operational  and 
integrated  risk  management, 
investment  management,  and 
current  market  issues. 


18  www.csoonline.com  November  2012 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 


|~7j  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  twice  a  week. 

|7j  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

|~7j  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

rTj  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

[Vj  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

[Vj  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

[Vj  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 


Sign  up  now  for  CSO's 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


Former  Zynga  CSO:  Innovate  or  Die 

Cloud  Security  Alliance  co-founder  and  former  Zynga  CSO  Nils 
Puhlmann  reflects  on  what  he’s  learned  and  explains  why  he 
thinks  the  industry  needs  more  pioneers  by  joan  goodchild 


20  www.csoonline.com  November  2012 


FOR  THE  PAST  THREE  YEARS,  NILS 
Puhlmann  was  head  of  security  for  Zynga,  the 
social  games  company  that  created  mega¬ 
hits  Farmville  and  Words  With  Friends. 

Managing  Zynga’s  converged  security 
department  was  a  challenging  job  that  Puhl¬ 
mann  says  has  left  him  ready  for  a  break.  But 
don't  expect  him  to  be  relaxing  for  too  long. 
Puhlmann  is  also  the  co-founder  of  the  Cloud 
Security  Alliance  (CSA),  a  community  of  over 


33,000  security  professionals  worldwide  that 
promotes  the  use  of  best  practices  for  security 
in  cloud  computing.  His  work  with  CSA  contin¬ 
ues  to  evolve. 

Puhlmann  recently  spoke  with  CSO  about 
his  plans  for  the  next  chapter  of  his  career 
and  what  changes  he’d  like  to  see  the  security 
industry  adopt. 

CSO:  You  recently  left  Zynga,  where 
you  had  served  as  CSO  since  2009.  What 


are  your  plans  now? 

Nils  Puhlmann:  I  don’t  have  any  specific 
plan  at  the  moment,  other  than  spending  time 
with  family.  Helping  to  make  a  startup  compa¬ 
ny  successful  and  turn  it  into  a  public  company 
from  a  security  point  of  view  is  intense:  it’s  a 
lot  of  work.  The  job  had  different  challenges 
than  working  for  a  very  established  company. 

I’ll  be  letting  things  come  toward  me  in  the 
coming  months  and  then  decide  what  type  of 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 

content  and  resources,  including: 

■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


BUSINESS  RISK  LEADERSHIP 


«  Lead 


security  I  want  to  do  next;  where 
I  want  to  apply  my  experience, 
knowledge  and  insight.  Security 
is  no  longer  clear-cut.  It  has  dif¬ 
ferent  factors  and  aspects  now. 

But  I’ve  been  excited  so  far  about 
all  of  the  different  opportunities 
that  have  already  been  sent  to 
me  since  announcing  that  I  was 
leaving  Zynga. 

What  lessons  did  you  learn 
from  your  time  at  Zynga? 

That’s  a  loaded  question.  I 
have  learned  there  is  no  such 
thing  as  “one  size  fits  all"  in  secu¬ 
rity.  On  the  other  hand,  the  princi¬ 
pals  and  philosophies  that  we  all 
learned  growing  up  in  the  security 
industry  are  always  valid.  A  lot  of 
folks  now  enter  the  security  space 
or  take  on  more  managerial 
oversight  and  responsibility.  Flex¬ 
ibility  and  adjusting  and  adapting 
to  different  markets  is  what  a 
company  needs.  But  at  the  same 
time,  sticking  to  what  has  worked 
for  so  long  and  figuring  out  what 
those  things  are-remembering 
that  certain  basic  rules  and  phi¬ 
losophies  or  principles  in  security 
will  never  go  away,  and  never 
should— is  the  balance  everyone 
will  have  to  find.  That’s  going  to 
be  a  challenge. 

The  new  generation  of  security 
professionals  might  overempha¬ 
size  change  and  flexibility  and 
might  not  have  enough  years 
under  their  belts  to  have  learned 
about  these  principles.  Having 
both  sides,  making  sure  both 
ends  of  the  spectrum  are  covered, 
is  crucial.  Flexibility  is  needed  all 
around,  but  not  flexibility  that 
sacrifices  security. 

Talk  about  the  security  in¬ 
dustry’s  next  few  years.  Which 
trends  or  concerns  are  you 
keeping  an  eye  on? 

The  next  few  years  are  going 


to  be  make-or-break  for  security. 
Either  it  will  make  itself  heard- 
and  heard  not  just  for  noise,  but 
innovation-or  it  will  be  pushed 
aside.  I  think  it's  time  for  the  in¬ 
dustry  to  wake  up.  I  haven’t  really 
seen  it.  Anyone  who  has  been 
going  to  the  same  conferences 
year  after  year  sees  buzzwords 
each  year,  but  it's  mostly  old 
technologies  rebranded  under 
new  buzzwords  or  themes. 

There  is  cloud,  compliance, 
mobility,  to  name  a  few.  But 
the  amount  of  true  innovation 
that  goes  into  these  solutions  is 
actually  small  compared  to  tra¬ 
ditional  tech.  It  forces  the  practi¬ 
tioners  to  fill  the  vacuum  through 
creative  work,  and  I  don’t  think 
that’s  sustainable.  So  either  that 


I  see  what  is  happening  and 
it’s  worrisome,  and  it  should  be 
worrying  everyone.  I  think  it’s  up 
to  everyone  in  the  industry  to 
change  it-to  stop  the  train  and 
make  it  move  in  a  different  direc¬ 
tion  before  it  ends  up  in  a  place 
we  don’t  want. 

What  else  would  you  like  to 
see  change  in  security? 

I  think  the  organizational 
aspect  of  security  is  something 
that  needs  to  be  addressed.  Every 
company  is  trying  to  come  up 
with  their  own  job  architectures, 
trying  to  figure  where  to  place 
security,  what  they  should  focus 
on  and  do.  Security  is  actually  the 
only  profession  inside  most  cor¬ 
porations  that  tries  to  solve  that 
individually  over  and  over  again. 


cause  security  is  so  individual  and 
unique,  it’s  hard  to  compare  that. 
That  shouldn’t  be  the  case.  That 
makes  it  hard  for  any  company, 
any  board  of  directors,  to  assess 
what  needs  to  be  changed  or 
fixed  or  adjusted. 

In  2008  you  co-founded  the 
Cloud  Security  Alliance,  a  non¬ 
profit  information-sharing 
group.  What  are  your  plans 
for  CSA? 

CSA  was  such  an  innovative 
step  that  when  it  first  started 
people  said,  “Great  idea,  but  it 
won’t  go  anywhere.”  Now  it’s 
globally  available,  there  are  lots 
of  people  as  members  actively 
contributing  content  and  knowl¬ 
edge,  which  is  exactly  what  we 
wanted.  We  wanted  to  bring  oth- 


“The  next  few  years  are  going  to 
be  make-or-break  for  security. 
Either  it  will  make  itself  heard., 
or  it  will  be  pushed  aside.” 

-NILS  PUHLMANN,  FORMER  CSO,  ZYNGA 


lack  of  innovation  is  addressed 
and  fixed  in  the  industry,  or  it 
becomes  an  afterthought  as  the 
pendulum  swings  from  one  side 
to  the  other. 

It  could  create  big  issues.  It 
could  mean  bad  things  happen 
around  the  world  that  impact 
business  and  consumer  confi¬ 
dence.  In  the  online  and  offline 
world,  it  can  lead  to  a  knee-jerk 
reaction  because  you  can’t  force 
innovation,  but  you  can  force 
legislation.  I  always  say  that  in 
the  absence  of  innovation,  there 
will  be  legislation,  and  that  will 
force  security  to  the  forefront,  but 
that’s  not  an  efficient  place  to  be. 


At  some  point  the  industry  needs 
to  come  up  with  a  baseline  and 
ask:  What  does  good  look  like? 
What  kinds  of  functions  should 
be  available  in  the  company  to 
really  cover  security  well?  Where 
should  they  be  placed  and  what 
should  they  do? 

I  had  a  thought  recently:  At  a 
company  that  has  had  a  security 
executive  for  five  years,  how  does 
the  CEO  of  that  company  know 
the  security  program  is  running 
well?  For  every  other  profession, 
you  have  industry  publications. 
There  are  other  companies  you 
can  ask  because  there  is  enough 
comparative  information.  But  be¬ 


ers  together  to  share  what  works. 
That  concept  has  worked  well 
and  has  shown  me  there  is  a  lot 
of  combined  knowledge  in  this  in¬ 
dustry,  it  just  needs  to  be  brought 
together  with  the  right  incentives 
and  it  will  flourish. 

CSA  will  continue  to  evolve 
to  other  areas  that  we  feel  need 
to  be  addressed,  or  that  people 
need  to  be  thinking  about  and 
sharing  their  experiences  of  what 
has  worked,  what  hasn't,  and 
make  it  better.  So  don’t  expect  it 
just  to  be  about  cloud.  There  are 
other  areas  to  address.  We  have 
already  started  a  working  group 
on  mobile  and  mobility. 


22  www.csoonline.com  NOVEMBER  2012 


iStockphoto 


To  Work  Better,  You  Need 
a  Change  of  Perspective 


“IS  THAT  CHARLIE?”  BOOMS  A 
voice.  “It’s  been  years.  Man,  great  to  see 
you!” 

If  you  travel  with  Charlie  (not  his  real 
name  or  details),  that  greeting  echoes 
out  from  every  level  of  the  working  world: 
executives,  managers,  security  guards,  gar¬ 
deners  and  frontline  workers. 

Before  settling  on  a  career  in  the  infor¬ 
mation  security  team,  Charlie  worked  at  a 
variety  of  positions  in  the  company  because 
he  found  them  interesting.  Now  he’s  the 
most  respected  security  architect  in  the  or- 
ganization-when  someone  has  a  question, 
a  challenge  or  concern,  they  reach  out  to 
Charlie.  His  security  team  does  the  same. 

Charlie  has  a  deep  understanding  of  the 
business  (better  at  times  than  the  busi¬ 
ness’s  own  understanding),  plus  he  knows 
all  about  the  company’s  technology  and 
security.  Almost  instinctively,  he  assesses 
the  impact  and  potential  impact  that  se¬ 
curity  decisions  have  on  the  people  he  has 
served  with,  people  who  still  seek  him  out. 
His  insights  bring  people  together  and  steer 
them  to  choose  and  implement  solutions 
that  increase  security,  reduce  risk  and  are 
embraced  by  the  business. 

At  the  pinnacle  of  a  successful  security 


career,  Charlie  is  the  embodiment  of  a  sim¬ 
ple  proverb:  “Don’t  judge  a  man  until  you’ve 
walked  a  mile  in  his  shoes.” 

Charlie  climbed  physical  ladders,  pulled 
cable,  turned  switches  and  dials  and  gained 
a  firsthand  understanding  of  the  company 
in  a  way  that  few  others  have.  Even  people 
with  comparable  tenure  lack  the  depth  of 
knowledge  he  has  gained  and  the  strength 
of  relationships  he  has  built. 

Charlie  is  an  outlier  in  security  today. 
Trained  as  an  engineer,  he  took  the  path 
of  meeting  and  working  with  others;  he 
learned  the  language  and  embraced  the 
norms.  More  than  just  fitting  in,  Charlie 
belongs. 

For  most  security  professionals,  the  de¬ 
mands  and  pace  of  change,  the  complexity, 
and  the  universal  time  crunch  often  lead  to 
tunnel  vision  with  a  hyper-focus  on  imple¬ 
menting  and  using  controls  to  reduce  risk. 
The  current  environment  makes  it  too  easy 
to  ignore  the  valid  and  important  perspec¬ 
tives  of  others  in  favor  of  just  getting  the 
job  done. 

A  checking-the-box  approach  seldom 
increases  security  or  reduces  risk.  Worse, 
it  harms  otherwise  impressive  security 
careers. 


By  forgetting  about  the  people  we  serve, 
or  simply  not  taking  the  time  to  under¬ 
stand  them,  we  rush  to  judgment  about 
their  capabilities,  which  leads  to  frustra¬ 
tion,  anger  and  sometimes  miscommunica- 
tion  that  damages  credibility  and  shortens 
careers. 

To  build  a  better  approach  for  a  strong 
and  lasting  security  career,  simply  change 
your  shoes. 

Seeing  the  situation  from  another  per¬ 
spective  is  the  best  way  to  learn.  Here  are 
three  ways,  both  formal  and  informal,  to  try 
on  a  different  pair  of  shoes: 

Start  a  job  rotation:  Engage  in  a 
formal  policy  of  learning  and  working  in  dif¬ 
ferent  jobs.  This  is  a  great  way  to  learn  how 
the  business  of  the  company  works. 

Shadow  someone  else:  Find 
someone  to  shadow  for  a  day.  The  key  is  to 
follow  your  guide  and  ask  questions  with¬ 
out  judging  and  trying  to  improve  them. 

Take  someone  to  lunch,  learn 
from  their  experience:  Try  some¬ 
thing  as  simple  as  a  buying  someone  lunch 
and  asking  them  about  what  they  do,  and 
then  listening. 

The  key  to  these  approaches  is  to  change 
the  focus.  Shift  your  mind  away  from  the 
need  to  get  the  job  done  on  your  schedule 
to  consider  the  perspective,  environment 
and  schedule  of  someone  else. 

Take  time  to  reflect  on  the  emotional 
and  logical  responses  to  those  situations. 
And  then  look  at  the  security  processes, 
tools  and  directives  you’ve  issued  to  others. 
Are  they  designed  to  meet  the  needs  and 
environment  of  you,  the  security  profes¬ 
sional,  or  are  they  universally  designed  to 
meet  everyone’s  needs? 

The  key  to  success  in  security  is  focusing 
on  others.  Start  by  changing  shoes  to  get 
insight  into  someone  else’s  job.  Then  keep 
walking  in  other  shoes  to  build  a  better 
career,  a  stronger  team  and  more  overall 
success. 


■  Michael  Santarcangelo  is  the  founder  of 
Security  Catalyst,  a  consultancy  that  har¬ 
nesses  the  human  side  of  security. 


November  2012  www.csoonline.com  23 


■  Lead 


Making  Metrics  Matter  to  the  C-Suite 


TOO  MANY  INFORMATION  SECURITY 
executives  struggle  to  sell  their  metrics  efforts 
to  the  C-suite.  What's  the  problem?  The  way 
the  information  security  industry  currently 
thinks  about  metrics  needs  an  overhaul.  We  try 
to  sell  operational  metrics  when  we  should  sell 
strategic  metrics.  Here’s  the  deal:  The  C-suite 
listens  and  reacts  only  to  metrics  that  mirror  its 
own  strategic  goals  for  the  organization. 

Operational  metrics  are  tools  to  assess 
the  productivity  of  the  information  security 
team.  Examples  include:  What  was  the  aver¬ 
age  dwell  time  for  a  network  intrusion?  What 
is  the  patching  status  of  our  Korean  servers? 
These  metrics  allow  the  CISO  to  determine 
how  efficiently  his  or  her  team  conducts  its 
work. 

Where  information  security  gets  into  in¬ 
tellectual  hot  water  is  when  we  aggregate 
various  operational  metrics  and  attempt  to 
interpret  some  broader  significance  from  the 
results.  It  doesn’t  work.  Cobbling  together  two 
or  three  metrics  with  some  complicated  algo¬ 
rithm  yields  generic  answers  that  are  neither 
actionable  nor  significant. 

To  build  compelling  C-suite  metrics,  we 
must  leave  our  IT-centric  focus  behind  and 


instead  focus  on  the  organization’s  initiatives. 
The  CEO  is  measured  on  revenue  growth  and 
expense  control,  so  our  strategic  information 
security  metrics  have  to  mirror  these  priorities. 
We  need  to  ask  the  questions:  What  are  we 
trying  to  accomplish  as  a  business?  How  do 
we  make  revenue  grow  faster,  reduce  costs, 
or  both?  How  do  our  security  efforts  support 
these  initiatives? 

I’ll  give  you  an  example  from  one  of  IANS' 
Fortune  1000  Decision  Support  clients.  One 
of  the  corporation’s  key  initiatives  was  to 
increase  revenue  by  opening  new  retail  loca¬ 
tions  in  underserved  markets. 

To  demonstrate  value  to  the  C-suite,  the 
information  security  team  aligned  itself  with 
this  business  initiative.  The  CISO  and  his  team 
built  a  series  of  metrics  that  showed  how 
their  activities  were  reducing  the  cycle  time 
for  new  store  launches.  The  takeaway  was 
pretty  clear-the  faster  a  store  comes  online, 
the  faster  the  corporation  sees  revenue  and  a 
return  on  this  infrastructure  investment. 

By  the  way,  this  CISO  didn’t  abandon  his 
operational  metrics  program  in  favor  of  a 
more  strategic  position.  Those  metrics  re¬ 
mained  invaluable  in  measuring  his  team’s 


performance.  That’s  an  important  point  to 
stress:  There  are  operational  metrics  that  are 
invaluable  in  measuring  day-to-day  perfor¬ 
mance.  These  are  the  metrics  that  allow  you 
to  know  where  you  stand  and  how  you  are 
managing  your  infrastructure. 

Ultimately,  what  I  am  proposing  is  two  dis¬ 
tinct  sets  of  metrics.  The  first  is  a  set  of  stra¬ 
tegic  metrics  that  CISOs  can  present  to  the 
C-suite.  These  should  focus  on  how  informa¬ 
tion  security  is  directly  helping  revenue  go  up, 
costs  go  down,  or  both.  The  second  set  should 
be  operational  metrics  that  help  you  run  your 
department.  Don’t  confuse  the  two  and  don’t 
try  to  make  one  into  the  other. 

Why  has  this  thinking  not  taken  root?  The 
answer,  I  think,  is  primarily  a  cultural  one-we 
are  much  more  comfortable  with  technology 
than  business.  However,  if  we  want  the  C- 
suite  to  listen  to  concerns  about  information 
security,  we’ve  got  to  change. 

It  requires  going  outside  our  comfort  zones 
and  seeking  out  business  leaders.  We  need  to 
create  relationships  and  understand  what’s 
important  to  the  organization.  Then  we  need 
to  figure  out  how  information  security  sup¬ 
ports  and  drives  the  overall  business  initia¬ 
tives.  This  is  not  going  to  be  an  easy  task,  but 
the  CISOs  that  have  made  this  transition  have 
seen  great  success  in  their  security  programs, 
particularly  with  funding. 

The  members  of  the  C-suite  may  not 
understand  the  intricacies  of  your  secu¬ 
rity  program,  but  they  do  understand  that 
security  matters.  They  know  they  need  to 
spend  money  on  security.  When  you  can  take 
security  and  link  it  to  a  revenue-generating 
opportunity  or  a  cost-reduction  opportunity- 
allowing  the  initiative  to  be  done  more  safely, 
more  securely,  more  quickly,  or  all  of  the 
above-that’s  a  huge  win. 


■  Phil  Gardner  is  the  co-founder  and  CEO  of 
IANS,  a  provider  of  in-depth  security  insights 
and  decision  support  delivered  through 
research,  community  and  consulting. 


24  www.csoonline.com  NOVEMBER  2012 


Access  control 
isn’t  one  size  fits 
all  either. 


•  >T"  *5; 

*  si,  'if?  k  -TUI 


^  *V  ■  „  ,-i 

*»»  *  r*L  v  .  ^  u  v  __ 

_  ~a  •  -*•  **  jfi'.  -• ^  jjr  _  -- 

.  ■**  «a%  ,  w  “  *•  -  -v^‘;  , 


*•  ..-r  :*; 


\  "  •■  ,*'1  \  *r*f  i  '  i  JjS 

.  .  **  j* .  *  -  ■  ■’ 

*f¥;  •"  ' '  *  «  . 

r  ..•>,'  jfe  .1  > 

■Copyright  ©  2012  ASSAAI510Y  Inc.  All  rights  reserved;  - 


*  * 


"  "  - 


□  Available  on  the  iPad 

App  Store 

Download  Our  App 
Want  help  finding  the  right 
solution  for  any  opening ?  Scan 
this  Microsoft®  Tag  with  your 
iPad ®  or  visit  the  App  Store 
to  download  the  Security 
Continuum  App  for  iPad. 


From  patented  key  systems  to  full-featured,  online  integrated  locksets,  ASSA  ABLOY  offers  access 
control  solutions  tailored  to  the  unique  locking  needs  of  each  opening.  With  the  industry's  largest 
range  of  products,  from  the  most  trusted  brands,  your  security  dollars  reach  farther  into  your  facility. 

Contact  your  ASSA  ABLOY  Integrated  Solutions  Specialist  for  a  consultation  on  your  next  project. 

Visit  www.intelligentopenings.com/SecurityContinuum. 


ASSA  ABLOY 


ADAMS  RITE  |  CORBIN  RUSSWIN  |  HES  |  MEDECO  |  NORTON  |  SARGENT  |  SECURITRON  |  YALE 


The  global  leader  in 
door  opening  solutions 


Anastasia  Vasilakis 


Cover  Story 


IT’S  AN  OLD  STORY:  DIFFER- 

ent  risk  management  functions  oper¬ 
ating  in  separate  boxes,  each  oblivious 
to  the  other’s  existence.  Security 
experts  have  been  talking  about  the 
need  for  corporate  and  IT  security  to 
come  together  for  what  seems  like 
an  eternity.  But  real  cooperation  has 
emerged  only  in  fits  and  starts. 

At  long  last,  we’re  starting  to  see 
evidence  that  the  walls  are  coming 
down,  albeit  slowly,  one  brick  at  a  time. 
Here  are  four  companies  that  are  mak¬ 
ing  it  happen. 

The  Long  Struggle 

Let’s  begin  with  a  short  history  of  the  problem. 

In  the  past,  physical  and  IT  security  shops  have 
had  trouble  working  together.  They  were  created 
as  two  separate  departments,  with  different  people, 
cultures  and  ways  of  thinking.  By  sharing  skills,  tech¬ 
nology,  processes  and  best  practices,  the  two  disci¬ 
plines  could  more  effectively  defend  against  threats 
and  deliver  the  kind  of  holistic  security  that  organi¬ 
zations  need.  But  change  has  come  at  a  glacial  pace. 

Corporate  security  professionals  have  become 
reliant  on  information  security  tools  and  techniques 
such  as  identity  management,  log  monitoring  and 
analytics,  says  David  Melnick,  principal  in  the  secu- 


Cooperation  between 
security  disciplines  isn’t 
new— but  it  is  improved. 
Here’s  how  it  works  today. 

BY  BOBVIOLINO 


angwage 

November  2012  www.csoonline.com  27 


Cover  Story 


rity,  privacy  and  data  protection 
practice  at  consultancy  Deloitte. 

“We  increasingly  live  in  a  world 
where  neither  [physical  nor  infor¬ 
mation  security]  can  be  effective 
without  the  ability  to  integrate  with 
and  rely  on  the  other,”  Melnick  says. 

Similarly,  IT  security  pros  have 
become  more  aware  of  the  human 
and  physical  dimensions  of  pro¬ 
tecting  data. 

The  most  powerful  collabora¬ 
tions  between  the  two  disciplines 
take  place  during  the  response  to 
an  incident,  Melnick  says.  Physi¬ 
cal  security  “has  strong  practices 
and  focus  on  the  key  issues  that 
emerge  when  you  have  to  respond 
to  an  event  [for  example,  foren¬ 
sic  investigation  and  interview¬ 
ing],  while  information  security 
and  technology  offer  increasingly 


resources,  payroll  and  other  busi¬ 
ness  processes.  The  company 
finally  became  a  “fully  converged 
security  organization”  two  years 
ago,  says  Roland  Cloutier,  vice 
president  and  CSO. 

By  creating  the  office  of  the  CSO 
and  aligning  operational  security, 
risk  and  privacy-service  delivery 
teams,  ADP  has  created  a  global 
platform  for  efficiently  and  effec¬ 
tively  monitoring  and  delivering 
key  security  elements  in  business 
operations  and  product  delivery. 

Units  within  the  organization 
are  either  considered  service  deliv¬ 
ery,  client  management  or  plat¬ 
form  support,  Cloutier  says,  and 
all  report  to  a  senior  leader  who 
has  responsibility  for  all  security, 
risk  and  privacy  functions  at  the 
company. 


“Security  executives  now  have  a 
much  better  way  to  make  risk* 
based  decisions  on  the  entire 
spectrum  of  critical  security  issues.” 

-ROLAND  CLOUTIER,  VICE  PRESIDENT  AND 
CSO,  AUTOMATIC  DATA  PROCESSING 


effective  sources  of  intelligence 
and  evidence  around  the  event,”  he 
says.  “While  some  events  take  place 
largely  in  cyberspace  and  others  in 
the  physical  world,  both  require 
collaboration  for  the  most  effective 
response.” 

At  ADP  and  Elsewhere, 
CSOs  Bridge  The  Gap 

The  first  example  of  genuine  prog¬ 
ress  comes  from  Automatic  Data 
Processing  (ADP),  a  provider  of 
outsourcing  services  for  human 


Service  delivery  includes  pro¬ 
grams  such  as  information  security, 
risk  management,  the  company’s 
Critical  Incident  Response  Center, 
public  safety  and  client  security. 
Client  management  is  responsible 
for  ensuring  that  the  services  are 
delivered  into  each  division  and 
business  unit  and  that  functional 
business  requirements  are  cov¬ 
ered  by  the  services  offered  by  the 
central  delivery  teams.  And  the 
platform-support  teams  provide 
consistent  internal  operations  sup- 


28  www.csoonline.com  NOVEMBER  2012 


port  while  preventing  stovepiped 
processes,  overlapping  technolo¬ 
gies  and  fiscal  mismanagement. 

“By  consolidating  these  func¬ 
tions,  operating  on  a  shared 
services  platform,  enabling  cross¬ 
discipline  metrics,  and  getting 
functional  leaders  at  the  same 
table,  we  are  able  to  better  evaluate 
our  security  posture,  better  lever¬ 
age  our  technology  and  capital 
investments,  make  better  global 
and  enterprise  risk  decisions,  and 
more  effectively  make  decisions 
and  execute  our  strategy  and  daily 
operations,”  Cloutier  says. 

The  reality  is  that  both  physical 
and  cyber  issues  have  huge  effects 
on  any  corporation,  Cloutier  says. 

“From  intellectual  property  pro¬ 
tection  to  cyber  intrusions,  privacy, 
protected  data  assurance,  client 
funds  protection,  product  security, 
and  workforce  safety,  all  impact 
business  operations,  client  man¬ 
agement  and  satisfaction,  brand, 
and  shareholder  investment,”  he 
explains 

By  merging  security  programs 
and  developing  cross-discipline 
metrics  and  governance  functions, 
companies  have  a  better  quantita¬ 
tive  and  qualitative  view  of  the  effi¬ 
cacy  of  their  security  investments, 
Cloutier  says. 

He  prefers  not  think  of  the  suc¬ 
cess  of  the  converged  program 
just  in  terms  of  threat  avoidance, 
but  rather  as  a  cross-disciplinary 
“ecosystem  approach”  to  the  pre¬ 
vention,  detection,  deterrence  and 
management  of  key  security,  risk 
and  privacy  operations. 

With  this  approach,  “security 
executives  now  have  a  much  better 
way  to  make  risk-based  decisions 
on  the  entire  spectrum  of  critical 
security  issues  against  a  business, 
and  migrate  shared  resources  and 
funds  to  the  area  most  critical  at  the 
time  of  need,”  Cloutier  says. 


Heartland’s  Struggle 

At  Heartland  Payment  Systems,  a 
provider  of  payment-processing, 
payroll  and  other  services,  CSO 
John  South  has  struggled  to  marry 
physical  and  IT  security  to  better 
protect  the  firm’s  enterprise  and 
merchant  customers.  It’s  become 
an  important  piece  of  the  puzzle  as 
Heartland  has  fought  to  regain  its 
footing  following  a  massive  secu¬ 
rity  breach  four  years  ago. 

Back  then,  a  group  of  hackers 
successfully  broke  into  Heartland’s 
network,  stealing  data  from  more 
than  100  million  credit  and  debit 
cards  on  the  company’s  network, 
which  handles  card  processing 
for  restaurants,  retailers  and  other 
merchants. 

“With  Heartland  facilities  located 
in  several  locations  across  the 
country,  it  is  important  to  have  a 
consolidated  approach  to  our  phys¬ 
ical  security,”  South  says.  “Physical 
security  is  a  part  of  many  of  our  IT 
compliance  obligations,”  such  as 
the  Payment  Card  Industry  Data 
Security  Standard.  “So  it  is  impor¬ 
tant  that  it  is  integrated  into  the  IT 
audits  and  policies  established  to 
protect  the  company,”  he  says. 

Each  quarter,  the  firm’s  IT  audi¬ 
tors  review  the  physical  security 
controls  already  in  place.  “This 
includes  site  reviews  and  some 
components  of  physical  security 
that  are  basic  to  a  secure  facility, 
such  as  examining  the  complete¬ 
ness  of  visitor  records,”  South  says. 

The  most  important  factor  driv¬ 
ing  the  collaboration  between 
physical  and  cyber  security  is  the 
need  for  quick  and  reliable  access 
to  information  about  the  state  of 
physical  security  in  Heartland’s 
various  facilities,  South  says.  “It 
is  important  to  monitor  the  safety 
and  security  of  our  employees  and 
our  facilities  both  during  working 
hours  as  well  as  during  off-hours 


November  2012  www.csoonline.com  29 


Cover  Story 


when  someone  might  be  looking  for  a 
way  to  break  in,”  he  says. 

With  consolidated  monitoring,  the 
company  has  the  ability  to  respond 
quickly  to  emergencies  as  they  occur. 
“It’s  the  real-time  access  to  physical 
security  information  that  strengthens 
our  approach  to  security,”  South  says. 

A  close  collaboration  between  physi¬ 
cal  and  cyber  security  could  help  pre¬ 
vent  a  physical  attack  or  breach  that 
might  be  coupled  with  a  cyber  com¬ 
ponent,  either  as  a  part  of  the  attack 
itself  or  to  obfuscate  the  physical  pen¬ 
etration  of  the  company,  South  says. 
“With  combined  monitoring,  we  can 
shorten  the  reaction  time  between  an 
attempted  breach  and  our  response,” 
he  says. 

Cybersecurity  Becomes 
a  Physical  Challenge 

Another  company  aiming  to  link  physi¬ 
cal  and  IT  security  is  YRC  Worldwide, 
a  holding  company  that  oversees  ship¬ 
ping  businesses  such  as  YRC  Freight 
and  Reddaway. 

“The  number  of  successful  hacks  into 
corporations  around  the  world  is  the 
force  that  is  driving  our  physical  and 
IT  security  organizations  to  partner 
closely  and  work  as  one,”  says  George 
Rather,  CIO  of  YRC  Worldwide. 

“Cyberattacks  have  shifted  from  the 
harmless  antics  of  bored  teenagers 
to  professional  hackers  sponsored  by 
foreign  entities  that  can  bring  corpora¬ 
tions  down.” 

Rather  works  closely  with  CSO 


Butch  Day,  who’s  in  charge  of  physical 
security  initiatives  at  YRC.  The  com¬ 
pany  has  created  a  cyberattack  section 
in  its  Crisis  Response  and  Communi¬ 
cations  Plan.  The  plan  dictates  what 
actions  to  take  if  the  company  experi¬ 
ences  an  attack,  such  as  what  to  shut 
down  to  prevent  any  damage  from 
spreading  (led  by  IT  security);  who  to 
notify,  including  partners,  law  enforce¬ 
ment  agencies  and  customers  (led  by 
physical  security) ;  and  what  to  commu¬ 
nicate  (led  by  physical  security). 

The  physical  and  IT  security  teams 
also  partner  on  internal  security  con¬ 
cerns,  Day  says,  such  as  guarding 
against  an  attack  from  within  by  a  dis¬ 
gruntled  employee.  In  early  2012,  YRC 
deployed  an  intrusion-prevention  sys¬ 
tem  (IPS)  that  not  only  lets  the  com¬ 
pany  know  if  it’s  under  attack  externally 
but  also  helps  it  detect  improper  use  of 
its  computer  and  network-based  assets. 

“If  management  identifies  an 
employee  [who]  is  acting  suspiciously, 
the  physical  security  team  will  be 
engaged  to  investigate,”  Day  says.  “As 
part  of  that  investigation,  the  physical- 
security  team  can  request  IT  support  to 
review  the  employee’s  computer,  Web 
and  phone  logs  to  affirm  or  disprove 
the  suspicious  activity”  by  using  tools 
such  as  IPS. 

Day’s  team  has  a  large  contingency  of 
former  law-enforcement  officials  who 
have  a  variety  of  specialties  in  security 
and  investigations.  They  often  work  in 
conjunction  with  the  IT  security  group. 

“When  they  identify  something,  we 


look  at  all  the  evidence  they  compiled 
and  take  it  from  there,”  Day  says.  “Our 
CEO  has  made  it  clear  that  anytime  we 
need  anything,  we  can  draw  on  [IT] 
resources,  and  it’s  worked  very  well.” 

Part  of  what’s  made  the  collabora¬ 
tion  so  successful  is  the  absence  of  the 
turf  battles  that  go  on  at  some  organiza¬ 
tions,  Day  says.  “It’s  amicable,  a  great 
working  relationship,”  he  says. 

One  of  the  recent  initiatives  under¬ 
taken  by  the  groups  is  a  move  to  IP 
video  surveillance  technology,  and 
the  physical  security  group  is  working 
with  IT  to  choose  and  implement  video 
equipment. 

Airport  Trades  Silos 
for  Teamwork 

Los  Angeles  World  Airports  (LAWA) 
also  aims  for  close  cooperation 
between  the  law  enforcement  and  secu¬ 
rity  group  and  the  IT  organization. 

Physical  security  systems  that  use  IT 
components  (access  control  devices, 
closed-circuit  TV,  radios,  and  so  on) 
are  primarily  used  by  law  enforcement 
and  are  managed  by  the  Information 
Management  and  Technology  Group 
(IMTG),  says  Dominic  Nessi,  deputy 
executive  director  and  CIO. 

“  [Usage]  policy  is  established  by  law 
enforcement  and  IMTG  sees  them  as 
the  stakeholder  and  decision-maker,” 
Nessi  says.  “IMTG  keeps  abreast  of 
technology  advancements  and  works 
with  the  law  enforcement  organization 
to  determine  whether  or  not  they  would 
be  of  value  to  LAWA.” 


“The  number  of  successful  hacks  into  corporations 
around  the  world  is  the  force  that  is  driving 
our  physical  and  IT  security  organizations 
to  partner  closely  and  work  as  one.” 

-GEORGE  KATHER,  CIO,  YRC  WORLDWIDE 


30  www.csoonline.com  NOVEMBER  2012 


Anastasia  Vasitakis 


Over  the  past  five  years,  law  enforce¬ 
ment  and  IMTG  have  worked  together 
to  plan  and  implement  a  number  of 
technology  improvements,  including 
a  new  digital  trunked  radio  system, 
mobile  data  computers  in  vehicles,  and 
a  new  911  call  system. 

Ongoing  projects  include  a  nearly 
completed  replacement  of  the  physical- 
access-control  system  at  Los  Angeles 
International  Airport  (LAX)  and  a 
major  replacement  of  LAX’s  CCTV  and 
video-storage  system. 

“In  all  of  these  initiatives,  law  enforce¬ 
ment  has  been  the  project  sponsor  with 
IMTG  being  the  delivery  mechanism,” 
Nessi  says. 

LAWA  has  implemented  an  internal 
network  upon  which  security  systems, 
airport  systems  and  back-office  sys¬ 
tems  ride,  Nessi  says.  “Though  they 
are  one  physical  network,  they  are  logi¬ 


cally  separate  to  provide  each  with  the 
appropriate  cybersecurity  measures,” 
he  says.  “The  primary  factor  driving 
this  scenario  is  efficiency  in  the  deliv¬ 
ery  approach.  One  network  uses  less 
physical  infrastructure,  is  more  cost- 
effective  to  operate  and  maintain,  and 
requires  only  one  network-manage¬ 
ment  staff.” 

To  increase  collaboration  between 
physical  and  IT  security,  some  enter¬ 
prises  might  need  to  reorganize  their 
security  operations. 

“Strategic  organizational  design 
questions  often  become  the  brick  wall 
that  stops  the  convergence  conversa¬ 
tion,”  says  Melnick  of  Deloitte.  “Partly 
this  is  because  most  organizations  still 
bury  information  security  within  IT 
much  like  how  traditional  security  lives 
within  HR,  finance  or  operations.” 

The  answer  might  lie  in  combining 


these  organizations,  partly  “to  elevate 
the  reporting  relationship  of  the  result¬ 
ing  integrated  capability,  as  either  one 
on  their  own  [has]  trouble  making  it  to 
the  C-suite  level,”  Melnick  says. 

The  value  of  integration  is  becoming 
increasingly  clear,  Melnick  says,  but 
the  organizational  design  questions 
are  not  as  clear. 

“Ultimately,  some  combination  of 
responsibilities  will  need  to  be  brought 
together  to  elevate  the  capability  to  the 
C-suite,  and  this  will  likely  require  the 
partnering  with  compliance,  risk-man¬ 
agement,  privacy  or  other  functional 
areas — depending  on  the  industry  and 
organization — before  we  have  true  con¬ 
vergence,”  he  says. 


■  Bob  Violino  is  a  frequent  contributor  to 
CSO.  Send  feedback  to  editor  Derek  Slater  at 
dslater@cxo.com. 


November  2012  www.csoonline.com  31 


►  'V 


^V..*Wv-,v. 


occ 

The  Duffy/carr  Companies 

Putting  Tomorrow  Behind  Usr 


From  the  desk  of 
John  Johnson  II,  CEO 
The  Du£fy/carr  Compani 


ies 


To:  Pete  Peterson,  DCC  security  manager 

S  pressure,  our  overseas  facility, 
hot  spots,  and  the  whoIe  cyberespi 
making  me  nervous. 


?s  are  in 

nonage  thing  is 


So  this  is  just  not  a  good  time  for  DCC  to 

“z:z  sr- 


"John 


- 


,  ... 

— 


#  w-..  . 


32  www.c8oonline.com  November  2012 


irtflF*? 


cso  Staff 


Protect 


Mitigate  risk  and  defend  against 
advanced  threats.  Protect  yourself 
with  HP’s  Security  Intelligence 
and  Risk  Management  platform. 

Learn  more  at 
hpenterprisesecurity.com 


©201 2  Hewlett-Packard  Development  Company,  L.P. 


^1^0/  Nearly  one-third  of  the  companies 
J  w  /O  surveyed  in  a  recent  Ponemon  study 
reported  thay  have  no  formalized  Risk-Based 
Security  Management  (RBSM)  strategy.  Let's  hope 
100%  of  them  have  really  good  PR  firms. 


45% 


Of  the  executives  surveyed  in  our 
recent  Ponemon  study  who  indicated 
they  have  a  formal  Risk-Based  Security  Management 
(RBSM)  strategy,  less  than  half  have  metrics  to  help 
demonstrate  their  program’s  success.  Stop  guessing 
and  start  assessing. 


